http://www.ijrter.com/papers/volume-2/issue-4/dns-tunneling-detection.pdf 
《DNS Tunneling Detection》
In this paper we have presented a method of the DNS tunneling detection based on the clustering of the DNS traffic images.
检测手段也分为两种:
DNS packet analysis and DNS traffic analysis. Packet analysis denotes the request and response payload examination. Traffic analysis denotes the packets study in time to collect statistics – such as count of the packets from a single host, submission frequency, etc.
DNS packet analysis方法:
1. Request and response packet size analysis.
2. Domain names entropy analysis. 
3. Usage of the non-common types of DNS resource records. 
4. Frequency of the digit occurrences in the domain names.

DNS traffic analysis techniques:
1. The DNS traffic volume from a single IP address.
2. 2. The DNS traffic volume for certain domains. 
3. The DNS server geographic location.
4. Time of the DNS resource records creation.

http://onlinelibrary.wiley.com/wol1/doi/10.1002/dac.2836/full
DNS tunneling detection through statistical fingerprints of protocol messages and machine learning
The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes.

https://arxiv.org/abs/1004.4358 
Detecting DNS Tunnels Using Character Frequency Analysis
This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.

http://www.sciencedirect.com/science/article/pii/S1389128608003071
Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. 
类似文章在:A Bigram based Real Time DNS Tunnel Detection Approach 
http://www.sciencedirect.com/science/article/pii/S1877050913002421

http://ieeexplore.ieee.org/abstract/document/6755060/?reload=true 
Basic classifiers for DNS tunneling detection
The paper deals with DNS tunneling detection by means of simple supervised learning schemes, applied to statistical features of DNS queries and answers.

https://link.springer.com/chapter/10.1007/978-3-319-07995-0_46
Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection
To do that, we pose a classification problem on several statistical fingerprints
(features) of query and answers, acquired during the system evolution. More
specifically, let q and a be the packet sizes of a query and the corresponding
answer。

https://link.springer.com/chapter/10.1007/978-3-642-38998-6_16
Flow-Based Detection of DNS Tunnels
In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

DNS通道检测 国外学术界研究情况——研究方法:基于流量,使用机器学习分类算法居多,也有使用聚类算法的;此外使用域名zif low也有的更多相关文章

  1. DNS通道检测 国内学术界研究情况——研究方法:基于特征或者流量,使用机器学习决策树分类算法居多

    http://xuewen.cnki.net/DownloadArticle.aspx?filename=BMKJ201104017&dbtype=CJFD<浅析基于DNS协议的隐蔽通道 ...

  2. Android 第三方应用接入微信平台研究情况分享

    微信平台开放后倒是挺火的,许多第三方应用都想试下接入微信这个平台,毕竟可以利用微信建立起来的关系链来拓展自己的应用还是挺不错的 最近由于实习需要也在研究这个东西,这里把我的整个研究情况给出来 微信平台 ...

  3. 利用机器学习进行DNS隐蔽通道检测——数据收集,利用iodine进行DNS隐蔽通道样本收集

    我们在使用机器学习做DNS隐蔽通道检测的过程中,不得不面临样本收集的问题,没办法,机器学习没有样本真是“巧妇难为无米之炊”啊! 本文简单介绍了DNS隐蔽通道传输工具iodine,并介绍如何从iodin ...

  4. 使用国外 DNS 造成国内网站访问慢的解决方法

    本文原载于 wzyboy's blog,转载请注明本文地址: https://wzyboy.im/post/874.html ,谢谢合作. 为什么要用国外 DNS 由于众所周知的问题,国内 DNS 服 ...

  5. Data-independent acquisition mass spectrometry in metaproteomics of gut microbiota - implementation and computational analysis DIA技术在肠道宏蛋白质组研究中的方法实现和数据分析 (解读人:闫克强)

    文献名:Data-independent acquisition mass spectrometry in metaproteomics of gut microbiota - implementat ...

  6. 笛卡尔&小雷:科学发展有规律,研究科学有方法

    一直在总结自己的学习和研究方法,最近在读吴军写的<文明之光> ,感觉这篇介绍笛卡尔的内容非常有价值,特此整理.最近开始在密谋自己的理论体系,低调实施中...  笛卡尔按照感知的方式,把人的 ...

  7. 推荐学习《组织与管理研究的实证方法(第2版)》中文PDF

    在写文章论文时,会涉及到观点论证,需要掌握一些实证方法. 建议学习<组织与管理研究的实证方法(第2版)>,对管理研究中涉及的方法进行了介绍,例如实验室研究,二手数据的研究,实地研究等,这对 ...

  8. ML.NET技术研究系列-2聚类算法KMeans

    上一篇博文我们介绍了ML.NET 的入门: ML.NET技术研究系列1-入门篇 本文我们继续,研究分享一下聚类算法k-means. 一.k-means算法简介 k-means算法是一种聚类算法,所谓聚 ...

  9. CNN结构:用于检测的CNN结构进化-一站式方法

    有兴趣查看原文:YOLO详解 人眼能够快速的检测和识别视野内的物体,基于Maar的视觉理论,视觉先识别出局部显著性的区块比如边缘和角点,然后综合这些信息完成整体描述,人眼逆向工程最相像的是DPM模型. ...

随机推荐

  1. 【PostgreSQL-9.6.3】psql常用命令

    命令 描述 \l 查看数据库 \c 换库 \d 查看所有表 \dt 只显示匹配的表 \di 只显示匹配的索引 \ds 只显示匹配的序列 \dv 只显示匹配的视图 \df 只显示匹配的函数 \d t1 ...

  2. 删除git上已经提交的文件

    1.先查看有哪些文件可以删除,但是不真执行删除 git rm -r -n job-executor-common/target/* -r  递归移除目录 -n 加上这个参数,执行命令时,是不会删除任何 ...

  3. 【sqli-labs】 less26a GET- Blind based -All you SPACES and COMMENTS belong to us -String-single quotes-Parenthesis(GET型基于盲注的去除了空格和注释的单引号括号注入)

    这个和less26差不多,空格还是用%a0代替,26过了这个也就简单了 ;%00 可以代替注释,尝试一下 order by 3 http://192.168.136.128/sqli-labs-mas ...

  4. MVC 数据传递

    public class HomeController : Controller { // GET: Home public ActionResult Index() //控制器名Home下默认的一个 ...

  5. Linux 帮助与语言设置以及(\)

    1.命令太长可以用反斜杠(\)来转义回车键,使用命令连续到下一行.注意:反斜杠后就立刻接着特殊字符才能转义. 2.修改语系为英文 LANG=en_US.utf8 export LC ALL=en_US ...

  6. 用批处理实现垃圾文件清除/自动关机/清除copy病毒

    晚上睡觉之前为了下emule经常使用命令shutdown,最近受一个小程序影响想做个自动关机的批处理文件免的麻烦!网上有高手做了个,不过运行时出 现一个绑定错误,at也不能执行,所以后来自己做了简化版 ...

  7. Javaweb 使用Servlet技术改写用户登录 使用Filter技术解决中文乱码

    先把实验3的jsp页面复制过来: WebContent->WEB-INF->lib下面的jar包8.0版本也要记得复制: Java Resources->src下的 cn.edu.h ...

  8. Java JPA通过hql语句查询数据

    import javax.persistence.PersistenceContext; import javax.persistence.Query; public class StudentSer ...

  9. Crossing Rivers UVA - 12230 概率与期望

    题目大意:有个人每天要去公司上班,每次会经过N条河,家和公司的距离为D,默认在陆地的速度为1,给出N条河的信息,包括起始坐标p,宽度L,以及船的速度v.船会往返在河的两岸,人到达河岸时,船的位置是随机 ...

  10. [Ynoi2011]D2T1

    题目大意: 给定一个数列$a$,有以下几种询问: 1. 给定$x$,在序列末尾插入$x$.2. 给定$l,r$,输出$\sum\limits_{i=l}^r a_i$.3. 给定$x$,将数列中的所有 ...