Network Tunnel Detection Method Based on

doi:10.3969/j.issn.1006-2475.2019.06.001

Abstract

Abstract: Using network tunnel to attack and steal has become a hot issue in the field of network security in recent years. How to improve the recognition accuracy caused by large-scale network tunnel detection and analysis is needed to be solved. Aiming at the problem of mainstream tunnel detection based on DNS and HTTP protocols, a network tunnel detection method based on automatic feature engineering and compressed sensing is proposed. Through the automatic feature engineering, the deeper network tunnel features are mined. The dimensionality is reduced and the computational efficiency is improved by the compressed sensing algorithm without losing the high-dimensional feature precision. The experimental results on large-scale real data sets show that the F-measure value of DNS tunnel detection can reach 95%, and the F-measure value of HTTP tunnel detection can reach more than 82%.

Key words: automatic feature engineering, compressed sensing, DNS tunnel, HTTP tunnel

CLC Number:

TP393.0

YU Hong-xing1,2, SHEN Guo-wei1,2, GUO Chun1,2. Network Tunnel Detection Method Based on[J]. Computer and Modernization, 2019, 0(06): 1-.

References

［1］刘正. 浅析网络数据通信中的隐蔽通道技术［J］. 数字技术与应用, 2017(5):45.
［2］王靖云,史建焘,张兆心,等. 基于相对密度的DNS请求数据流源IP异常检测算法［J］. 高技术通讯, 2016(10):849-856.
［3］罗友强,刘胜利,颜猛,等. 基于通信行为分析的DNS隧道木马检测方法［J］. 浙江大学学报(工学版), 2017,51(9):1780-1787.
［4］ YU B, SMITH L, THREEFOOT M. Behavior Analysis Based DNS Tunneling Detection and Classification Framework for Network Security［EB/OL］. (2016-10-06)［2019-01-19］. http://www.freepatentsonline.com/y2016/0294773.html.
［5］ BORN K, GUSTAFSON D. Detecting DNS Tunnels Using Character Frequency Analysis［EB/OL］. ［2019-01-19］. https://arxiv.org/ftp/arxiv/papers/1004/1004.4358.pdf.
［6］章思宇,邹福泰,王鲁华. 基于DNS的隐蔽通道流量检测［J］. 通信学报, 2013(5):143-151.
［7］ ENGELSTAD P, FENG B, DOV T. Detection of DNS tunneling in mobile networks using machine learning［C］// International Conference on Information Science and Applications. 2017:221-230.
［8］ AIELLO M, MONGELLI M, CAMBIASO E, et al. Profiling DNS tunneling attacks with PCA and mutual information［J］. Logic Journal of the IGPL, 2016,24(6):957-970.
［9］单康康,郭晔,陈文智,等. 基于混合分类算法模型的DNS隧道检测［J］. 通信学报, 2018,39(S1):53-57.
［10］DAVIS J J, FOO E. Automated feature engineering for HTTP tunnel detection［J］. Computers & Security, 2016,59(C):166-185.
［11］兰景宏,刘胜利,李晔. 一种基于多层联合分析的HTTP隧道木马检测方法［J］. 计算机应用研究, 2016,33(1):240-244.
［12］胡洋瑞,陈兴蜀,王俊峰,等. 基于流量行为特征的异常流量检测［J］. 信息网络安全, 2016(11):45-51.
［13］杨旭. 基于行为分析的网络异常流量分类和检测技术研究［D］. 银川:宁夏大学, 2016.
［14］周颖杰. 基于行为分析的通信网络流量异常检测与关联分析［D］. 成都:电子科技大学, 2013.
［15］王宏. 基于行为分析的通信网络流量异常检测与关联分析［J］. 通讯世界, 2015(4):90.
［16］王泰格,杨翌,邵玉如. HTTP隧道木马原理分析及检测方法研究［J］. 软件导刊, 2012,11(9):152-153.
［17］LI S Z, YUN X C, ZHANG Y Z, et al. Anomaly-based model for detecting HTTP-tunnel traffic using network behavior analysis［J］. High Technology Letters, 2014,20(1):63-69.
［18］丁要军，刘小豫. 基于决策树分类的HTTP隧道检测方法［J］. 咸阳师范学院学报, 2011,26(2):49-53.
［19］DING Y J, CAI W D. A method for HTTP-tunnel detection based on statistical features of traffic［C］// 2011 IEEE 3rd International Conference on Communication Software and Networks. 2011:247-250.
［20］王宜菲,杨亚磊,饶孟良. 基于C4.5的HTTP隧道检测技术研究［J］. 计算机工程与设计, 2012,33(2):493-497.
［21］孙海涛,刘胜利,陈嘉勇. 基于操作行为的隧道木马检测方法［J］. 计算机工程, 2011,37(20):123-126.
［22］RAO M L, CAI W D, DING Y J. Research on HTTP tunnel detection technique based on SVM［J］. Computer Engineering, 2011,37(13):141-143.
［23］KANTER J M, VEERAMACHANENI K. Deep feature synthesis: Towards automating data science endeavors［C］// 2015 IEEE International Conference on Data Science and Advanced Analytics. 2015:1-10.
［24］NASR M, HOUMANSADR A, MAZUMDARA. Compressive traffic analysis: A new paradigm for scalable traffic analysis［C］// Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017:2053-2069.

[1]	ZHANG Lian-na, ZHANG Hui-ping, LI Rong-peng, SONG Xue-li. Sparse Signal Reconstruction of Backtracking Generalized Orthogonal Matching Pursuit Algorithm Based on Secondary Screening [J]. Computer and Modernization, 2022, 0(03): 111-115.
[2]	CHEN Xun-hao, YANG Ying, HUANG Jun-ru, SUN Yu-bao. Video Snapshot Compressed Sensing Reconstruction Based on Multi-scale Fusion Network [J]. Computer and Modernization, 2021, 0(12): 58-64.
[3]	JIN An-an, DING Shuang-shuang, XIONG Qing-zhi, XU Ting-ting, XI Shu-ping, MA Ji-zhong. Optimization Reconstruction of EPMA Image Based on SWOMP Algorithm [J]. Computer and Modernization, 2020, 0(12): 104-111.
[4]	ZHANG Lei, CUI Juan-juan, LI Jing-jing. A Clustering Data Collection Algorithm in WSN Based on Compressed Sensing [J]. Computer and Modernization, 2020, 0(09): 1-5.
[5]	ZHANG Huan1,2, LEI Hong1. Analysis of Phase Transition of Penalized Optimization Method in Corrupted Sensing Problem [J]. Computer and Modernization, 2019, 0(06): 76-.
[6]	WU Jia1, ZHAO Yun2, ZHANG Li-juan3, SONG Wen2. Prediction of Cellular Traffic Based on Space-time Compression Sensing [J]. Computer and Modernization, 2018, 0(12): 11-.
[7]	DONG Yuan-quan1, WANG Hao2. Multiple Target Localizationin WSNs via CS Reconstruction Method Based on Discrete CSO Algorithm [J]. Computer and Modernization, 2017, 0(12): 23-27.
[8]	SHEN Huijun. Efficient Compressed Sensing Magnetic Resonance Imaging #br# Based on Compound Regularization [J]. Computer and Modernization, 2016, 0(5): 39-45.
[9]	ZHONG Zhi-wei. Low-dose CT Image Reconstruction Based on Adaptive Kernel Regression Method and Algebraic Reconstruction Technique [J]. Computer and Modernization, 2016, 0(11): 38-42.
[10]	LIU Ji-cheng1, WANG Min-ying1, LI Hao-ran2. Image Reconstruction Based on Improved CoSaMP Algorithm [J]. Computer and Modernization, 2015, 0(5): 48-52.
[11]	LIU Hong-jiang;LI Wen-ying. Research on Technology of Quantum Tomography Based on Compressed Sensing [J]. Computer and Modernization, 2011, 12(12): 121-125.