面向AI模型训练的DNS窃密数据自动生成

Automatic Data Generation of DNS-Based Exfiltration for AI-Model Training

近年来,借助DNS协议良好的隐蔽性和穿透性实施数据窃取已成为诸多APT组织青睐的TTPs,在网络边界监测DNS流量进而精准发现潜在攻击行为已成为企事业单位急需建立的网络防御能力。然而,基于DNS的APT攻击所涉及的恶意样本存在难获取、数量少、活性很低等现实问题,且主流的数据增强技术不适合移植到网络攻防这个语义敏感领域,这些问题制约了AI检测模型训练。为此,本文基于DNS窃密攻击机理分析,并结合了大量真实APT案例和DNS工具,提出了一种基于攻击TTPs的DNS窃密流量数据自动生成及应用方法,设计并实现了DNS窃密流量数据自动生成系统—MalDNS,以生成大规模、高逼真度、完备度可调的DNS窃密数据集。最后,通过实验验证了生成流量数据的有效性,以及对检测模型训练的有效支撑。

In recent years,it has become the favorite TTPs of many APT organizations to implement data exfiltration by taking advantage of the good concealability and penetration of DNS protocol.Therefore,it’s imperative for enterprises and institutions to establish the defense capacity to monitor DNS traffic at the network boundary so as to accurately detect the potential attack behavior.However,datasets of DNS-based APT campaigns involve lots of practical problems such as difficulty to obtain,small quantity,and low activity.Also,the available technology of data augmentation is not suitable for transplanting to such semantic sensitive field.These problems have restricted the training of AI detection models.Therefore,based on the analysis of DNS-based exfiltration mechanism,combined with a large number of real APT cases and DNS-based exfiltration tools,we propose a method that can automatically generate traffic data based on DNS-based exfiltration TTPs.We design and establish an automatic generation system named MalDNS to generate a target DNS-based exfiltration dataset with large-scale,high fidelity,and adjustable integrity.Finally,our experiments indicate that the generated dataset is effective and can support the training of the detection models effectively.