【摘要】 域名系统(domain name system, DNS)隐蔽信道是一种利用DNS协议实现数据泄露的网络攻击手段，受到诸多高级持续性威胁(advanced persistent threat, APT)组织的青睐，给网络空间安全带来了严重威胁。针对传统机器学习方法对特征依赖性强、误报率高的问题，提出一种融合多通道卷积和注意力网络的DNS隐蔽信道检测算法。该算法基于DNS请求与响应双向流，首先将残差结构和并行卷积相结合，采用不同大小的卷积核提取并融合多尺度特征信息，实现不同感受野特征的捕获；其次引入通道注意力机制增加卷积通道关键信息的提取能力，丰富网络模型的表达能力；最后采用softmax函数实现DNS隐蔽信道的检测。实验结果表明，所提模型能有效检测DNS隐蔽信道，平均准确率、精确率和召回率分别为96.42%、97.82%和96.16%,优于传统方法。更多还原

【Abstract】 DNS(domain name system) covert channel is a kind of cyberattacks to achieve data leakage, which is favored by many APT(Advanced Persistent Threat) organizations and poses a serious threat to cyberspace security. Aiming at the problem that traditional machine learning methods rely on selected features and are easy to over-fit, a DNS covert channel detection method fusing multi-scale convolution neural network and attention mechanism was proposed. This method focused on the bidirectional flow of DNS request and response. Firstly, multi-scale convolutional kernels were used to extract the spatial features of DNS flow in parallel. It can extract richer context information features by increasing the width of backbone network. Then an attention mechanism was introduced to further mine the information of fused feature maps between multi convolutional channels. Finally, a softmax classifier was used to implement the detection of DNS covert channels. The experimental results show that the proposed model can effectively detect the DNS covert channel, and the average accuracy, precision rate and recall rate are 96.42%, 97.82% and 96.16% respectively, which are higher than the traditional method.更多还原