Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

A dns covert tunnel event automatic detection method, device and electronic equipment

A technology for DNS tunneling and automatic detection, applied in the field of network security, can solve the problems of inability to apply concealed new DNS tunnels, inability to provide sufficient, and high false positive rate, so as to improve friendliness, enhance interpretability, and reduce false positive rate. Effect

Active Publication Date: 2021-08-31
天际友盟(珠海)科技有限公司
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the current DNS tunnel detection has a high false positive rate, which is not suitable for the detection of covert new DNS tunnel Trojan horses, and cannot provide sufficient information for security analysts to conduct incident investigations after detection

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A dns covert tunnel event automatic detection method, device and electronic equipment
  • A dns covert tunnel event automatic detection method, device and electronic equipment
  • A dns covert tunnel event automatic detection method, device and electronic equipment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0052] Such as figure 1 As shown, the embodiment of the present invention provides an automatic detection method for DNS covert tunnel events, which uses machine learning algorithms to detect suspected DNS covert tunnel traffic, thereby performing event clue calculation and secondary checksum of suspected DNS covert tunnel traffic Risk calculation.

[0053] The DNS covert tunnel event automatic detection method proposed by the present invention comprises:

[0054] Suspected DNS covert tunnel traffic detection step 101, collecting traffic data of the DNS tunnel and filtering redundant traffic data to obtain traffic samples; analyzing the traffic samples to extract traffic data features; using a preset model to analyze the extracted traffic data features Identify and obtain DNS tunneling events;

[0055]Event clue calculation step 102, performing risk misreporting investigation on the DNS tunneling event under multiple clue dimensions; and

[0056] The event risk calculation ...

Embodiment 2

[0121] Another aspect of the present invention also includes a functional module architecture completely corresponding to the aforementioned method flow. Such as Figure 5 As shown, the embodiment of the present invention also provides a DNS covert tunnel event automatic detection device, including:

[0122] The traffic detection module 201 is configured to collect traffic data of the DNS tunnel and filter redundant traffic data to obtain traffic samples; analyze the traffic samples to extract traffic data features; use a preset model to identify the extracted traffic data features , get the DNS tunnel event;

[0123] An event clue calculation module 202, configured to perform risk misreporting investigation on the DNS tunneling event under multiple clue dimensions; and

[0124] The event risk calculation module 203 is configured to calculate the risk value of the DNS tunnel event according to the investigation result; and output the DNS covert tunnel risk event alarm and th...

Embodiment 3

[0128] The present invention also provides a memory, which stores a plurality of instructions, and the instructions are used to realize the method described in the first embodiment.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses an automatic detection method, device and electronic equipment for DNS hidden tunnel events. The method includes: collecting traffic data of DNS tunnels and filtering redundant traffic data to obtain traffic samples; analyzing the traffic samples to extract traffic Data characteristics; use the preset model to identify the extracted traffic data characteristics to obtain the DNS tunnel event; carry out risk misreporting investigation on the DNS tunnel event in multiple clue dimensions; calculate the DNS tunnel event according to the investigation results Risk value: output DNS covert tunnel risk event alarm and the risk value. The solution of the present invention provides security analysts with various event investigation clues, reduces false alarm rate, and improves interface friendliness.

Description

technical field [0001] The invention relates to the field of network security, in particular to an automatic detection method, device and electronic equipment for DNS covert tunnel events. Background technique [0002] Network covert channel is an important way for attackers to bypass network security policies for data transmission, and DNS (Domain Name System) is a common means to implement application layer covert channel. Attackers can achieve remote access and control, bypass authority and access control measures, install and spread malware, lateral penetration, communication transfer and steal data through DNS tunnels. As one of the key infrastructures of the Internet, DNS can map domain names and IP addresses to each other. The DNS protocol is hardly blocked by firewall policies. Even in an internal network, it is necessary to set up a DNS server for host name resolution. DNS is also a globally distributed database. Domain name recursive resolution requires the local...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06H04L29/12
CPCH04L63/029H04L63/1458H04L61/4511
Inventor 董龙飞李锟
Owner 天际友盟(珠海)科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products