基于图注意力网络的DNS隐蔽信道检测

DNS Covert Channel Detection Based on Graph Attention Network

域名系统(Domain Name System,DNS)隐蔽信道在高级持续性威胁(Advanced Persistent Threat,APT)攻击中呈频发态势,对网络空间安全具有潜在威胁。文章提出基于域名语义表示(Domain Semantic Representation,DSR)和图注意力网络(Graph Attention Network,GAT)的DNS隐蔽信道检测方法DSR-GAT,将域名级别的DNS隐蔽信道检测转化为一种无向图的节点分类任务。首先基于域名的相关性采用无向图构建域名图(Domain Graph,DG);然后利用域名的文本数据属性,采用一维卷积神经网络提取的语义表示作为DG节点的特征表示;最后通过图注意力网络的消息传播机制及多头自注意力机制,增强每个域名的特征表示。在公开数据集与基于真实APT样本Glimpse的自建数据集上进行实验,实验结果表明,文章提出的DSR-GAT方法检测效果较好,在解决上述问题的同时降低了漏报率,在一定程度上减小了安全风险。

Domain name system(DNS)covert channel is increasingly frequent in APT attacks,which is a potential threat to cyberspace security.Aiming at the lack of correlation analysis in DNS covert channel detection based on domain name,this paper proposed a DNS covert channel detection method DSR-GAT based on domain semantic representation(DSR)and graph attention network(GAT),which transformed DNS covert channel detection at domain name level into an undirected graph node classification task.First,based on domain name correlation,domain graph(DG)was constructed using undirected graph structure.Then,using the text data attribute of domain name and its semantic representation was extracted by one-dimensional convolutional neural network as feature representation of nodes in DG.Finally,the feature representation of each domain name was enhanced by the message propagation mechanism and multiple self-attention mechanism of graph attention network.Experimental results on public dataset and our own dataset based on real APT samples show that the proposed DSR-GAT has an ideal detection effect,reduces the failure rate while solving the above problems,and reduces security risks to some extent.