使用機器學習模型偵測加密型網域名稱系統中的隧道攻擊

Abstract

隨著近年來網際網路犯罪猖獗，人們開始逐漸重視在網際網路上的隱私安全，原以明文進行傳輸的網域名稱系統(DNS)面臨到了是否需要轉型成以密文進行傳輸的問題。雖然使用密文進行傳輸有助於提升DNS的安全性，使得DNS封包免於被竊聽的風險，降低了被攻擊的可能性，同時卻產生了新的問題，攻擊者能夠透過加密型的DNS將惡意的網路行為隱藏於其中，例如DNS隧道攻擊。 在加密型DNS中，以DNS-over-HTTPS(DoH)最具有發展性，本研究旨在探討如何偵測藏匿於DoH中的DNS隧道攻擊。在以明文進行傳輸的DNS中，已經存在許多成熟的方法用於偵測DNS隧道攻擊，然而這些方法大多不適用於在DoH中偵測DNS隧道攻擊。我們在研究中使用了機器學習的技術，透過分析封包的大小以及傳輸的頻率，能夠在短時間內準確地偵測到存在於DoH中的DNS隧道攻擊。

With the rampant Internet crime in recent years, people have begun to pay more attention to privacy and security on the Internet. DNS transmitted in plaintext faces the problem of whether it needs to be converted into ciphertext transmission. Although the ciphertext for transmission helps to improve the security of DNS, making DNS packets free from the risk of eavesdropping attacks, it creates new problems. Malicious traffic can be hidden in it, such as DNS tunneling attacks. Among encrypted DNS traffic, DNS-over-HTTPS (DoH) is the most developed. Thus, this research explores how to detect DNS tunneling attacks hidden in DoH. There are many mature methods for detecting DNS tunneling attacks transmitted in plaintext, but most of these methods are not suitable for detecting DNS tunneling attacks in DoH. In this research, we adopt machine learning technology to detect DNS tunneling attacks in DoH. By extracting the packet size and transmission frequency as features and adopting two-staged prediction model, our method detects malicious DoH accurately in a short period of time.