http://www.ijrter.com/papers/volume-2/issue-4/dns-tunneling-detection.pdf 
《DNS Tunneling Detection》
In this paper we have presented a method of the DNS tunneling detection based on the clustering of the DNS traffic images.
检测手段也分为两种:
DNS packet analysis and DNS traffic analysis. Packet analysis denotes the request and response payload examination. Traffic analysis denotes the packets study in time to collect statistics – such as count of the packets from a single host, submission frequency, etc.
DNS packet analysis方法:
1. Request and response packet size analysis.
2. Domain names entropy analysis. 
3. Usage of the non-common types of DNS resource records. 
4. Frequency of the digit occurrences in the domain names.

DNS traffic analysis techniques:
1. The DNS traffic volume from a single IP address.
2. 2. The DNS traffic volume for certain domains. 
3. The DNS server geographic location.
4. Time of the DNS resource records creation.

http://onlinelibrary.wiley.com/wol1/doi/10.1002/dac.2836/full
DNS tunneling detection through statistical fingerprints of protocol messages and machine learning
The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes.

https://arxiv.org/abs/1004.4358 
Detecting DNS Tunnels Using Character Frequency Analysis
This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.

http://www.sciencedirect.com/science/article/pii/S1389128608003071
Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. 
类似文章在:A Bigram based Real Time DNS Tunnel Detection Approach 
http://www.sciencedirect.com/science/article/pii/S1877050913002421

http://ieeexplore.ieee.org/abstract/document/6755060/?reload=true 
Basic classifiers for DNS tunneling detection
The paper deals with DNS tunneling detection by means of simple supervised learning schemes, applied to statistical features of DNS queries and answers.

https://link.springer.com/chapter/10.1007/978-3-319-07995-0_46
Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection
To do that, we pose a classification problem on several statistical fingerprints
(features) of query and answers, acquired during the system evolution. More
specifically, let q and a be the packet sizes of a query and the corresponding
answer。

https://link.springer.com/chapter/10.1007/978-3-642-38998-6_16
Flow-Based Detection of DNS Tunnels
In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

DNS通道检测 国外学术界研究情况——研究方法:基于流量,使用机器学习分类算法居多,也有使用聚类算法的;此外使用域名zif low也有的更多相关文章

  1. DNS通道检测 国内学术界研究情况——研究方法:基于特征或者流量,使用机器学习决策树分类算法居多

    http://xuewen.cnki.net/DownloadArticle.aspx?filename=BMKJ201104017&dbtype=CJFD<浅析基于DNS协议的隐蔽通道 ...

  2. Android 第三方应用接入微信平台研究情况分享

    微信平台开放后倒是挺火的,许多第三方应用都想试下接入微信这个平台,毕竟可以利用微信建立起来的关系链来拓展自己的应用还是挺不错的 最近由于实习需要也在研究这个东西,这里把我的整个研究情况给出来 微信平台 ...

  3. 利用机器学习进行DNS隐蔽通道检测——数据收集,利用iodine进行DNS隐蔽通道样本收集

    我们在使用机器学习做DNS隐蔽通道检测的过程中,不得不面临样本收集的问题,没办法,机器学习没有样本真是“巧妇难为无米之炊”啊! 本文简单介绍了DNS隐蔽通道传输工具iodine,并介绍如何从iodin ...

  4. 使用国外 DNS 造成国内网站访问慢的解决方法

    本文原载于 wzyboy's blog,转载请注明本文地址: https://wzyboy.im/post/874.html ,谢谢合作. 为什么要用国外 DNS 由于众所周知的问题,国内 DNS 服 ...

  5. Data-independent acquisition mass spectrometry in metaproteomics of gut microbiota - implementation and computational analysis DIA技术在肠道宏蛋白质组研究中的方法实现和数据分析 (解读人:闫克强)

    文献名:Data-independent acquisition mass spectrometry in metaproteomics of gut microbiota - implementat ...

  6. 笛卡尔&小雷:科学发展有规律,研究科学有方法

    一直在总结自己的学习和研究方法,最近在读吴军写的<文明之光> ,感觉这篇介绍笛卡尔的内容非常有价值,特此整理.最近开始在密谋自己的理论体系,低调实施中...  笛卡尔按照感知的方式,把人的 ...

  7. 推荐学习《组织与管理研究的实证方法(第2版)》中文PDF

    在写文章论文时,会涉及到观点论证,需要掌握一些实证方法. 建议学习<组织与管理研究的实证方法(第2版)>,对管理研究中涉及的方法进行了介绍,例如实验室研究,二手数据的研究,实地研究等,这对 ...

  8. ML.NET技术研究系列-2聚类算法KMeans

    上一篇博文我们介绍了ML.NET 的入门: ML.NET技术研究系列1-入门篇 本文我们继续,研究分享一下聚类算法k-means. 一.k-means算法简介 k-means算法是一种聚类算法,所谓聚 ...

  9. CNN结构:用于检测的CNN结构进化-一站式方法

    有兴趣查看原文:YOLO详解 人眼能够快速的检测和识别视野内的物体,基于Maar的视觉理论,视觉先识别出局部显著性的区块比如边缘和角点,然后综合这些信息完成整体描述,人眼逆向工程最相像的是DPM模型. ...

随机推荐

  1. 5.20rieds切换数据库

  2. 本地Gradle配置方法,免去长时间的更新同步等待

    通常gradle项目在gradle\wrapper\gradle-wrapper.properties中配置在线gradle: distributionBase=GRADLE_USER_HOME di ...

  3. Mybatis与Hibernate的对比

    Mybatis与Hibernate的对比 工作中,用了一段Hibernate与Mybatis,也在此简单的聊上几句,希望对大家有帮助. Mybatis与Hibernate不同,它不完全是一个ORM框架 ...

  4. SLAM:使用G2O-ORB-SLAM(编译)

    前言: 没有新雪,看看自己所做的事情,有没有前人做过.果然,EKF_SLAM的版本出现了Android版本的OpenEKFMonoSLAM, G2O-ORB SLAM也出现了VS2012版本. 一.S ...

  5. OpenCV的AdaptiveThreshold函数

    摘自于OpenCV Doc2.410,opencv2refman文档. 1.函数原型 adaptiveThreshold //Applies an adaptive threshold to an a ...

  6. 【技术累积】【点】【java】【19】访问权限

    java中的四种访问权限 范围如下表 权限 类内 同包 不同包子类 不同包非子类 Public ✔️ ✔️ ✔️ ✔️ 默认(Default) ✔️ ✔️ ️ Protected ✔️ ✔️ ✔️ P ...

  7. NOPI读取Word模板并保存

    安装NPOI 可以在 程序包管理器控制台中输入 PM> Install-Package NPOI 会下载最新版本NPOI ----------------------------引用了NPOI- ...

  8. iOS https 证书链获取

    - (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)chall ...

  9. 数据库操作(一)DML

    1.数据库 数据库可视为电子化的文件柜——存储电子文件的处所,用户可以对文件中的数据进行新增.查询.更新.删除等操作. 所谓“数据库”是以一定方式储存在一起.能与多个用户共享.具有尽可能小的冗余度.与 ...

  10. MySQL基础命令小结

    数据库授权登录[root@localhost ~]# mysql -uroot -p123456mysql> grant select,lock tables on auth.* to 'adm ...