http://www.ijrter.com/papers/volume-2/issue-4/dns-tunneling-detection.pdf 
《DNS Tunneling Detection》
In this paper we have presented a method of the DNS tunneling detection based on the clustering of the DNS traffic images.
检测手段也分为两种:
DNS packet analysis and DNS traffic analysis. Packet analysis denotes the request and response payload examination. Traffic analysis denotes the packets study in time to collect statistics – such as count of the packets from a single host, submission frequency, etc.
DNS packet analysis方法:
1. Request and response packet size analysis.
2. Domain names entropy analysis. 
3. Usage of the non-common types of DNS resource records. 
4. Frequency of the digit occurrences in the domain names.

DNS traffic analysis techniques:
1. The DNS traffic volume from a single IP address.
2. 2. The DNS traffic volume for certain domains. 
3. The DNS server geographic location.
4. Time of the DNS resource records creation.

http://onlinelibrary.wiley.com/wol1/doi/10.1002/dac.2836/full
DNS tunneling detection through statistical fingerprints of protocol messages and machine learning
The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes.

https://arxiv.org/abs/1004.4358 
Detecting DNS Tunnels Using Character Frequency Analysis
This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.

http://www.sciencedirect.com/science/article/pii/S1389128608003071
Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. 
类似文章在:A Bigram based Real Time DNS Tunnel Detection Approach 
http://www.sciencedirect.com/science/article/pii/S1877050913002421

http://ieeexplore.ieee.org/abstract/document/6755060/?reload=true 
Basic classifiers for DNS tunneling detection
The paper deals with DNS tunneling detection by means of simple supervised learning schemes, applied to statistical features of DNS queries and answers.

https://link.springer.com/chapter/10.1007/978-3-319-07995-0_46
Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection
To do that, we pose a classification problem on several statistical fingerprints
(features) of query and answers, acquired during the system evolution. More
specifically, let q and a be the packet sizes of a query and the corresponding
answer。

https://link.springer.com/chapter/10.1007/978-3-642-38998-6_16
Flow-Based Detection of DNS Tunnels
In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

最新文章

  1. [下载]北京新版小学英语五年级上册mp3点读APP
  2. 记一次简单的SQL优化
  3. 泛型-List<T>
  4. FFmpeg相关资料
  5. tpch-kudu
  6. .net 使用memcache做缓存
  7. sql是如何执行一个查询的!
  8. Node.js 的module 系统
  9. document.write和innerHTML的区别
  10. C#中File类的文件操作方法详解
  11. Partition算法剖析
  12. 减少iPhone手机系统版本号
  13. 杜教筛:Bzoj3944: sum
  14. 让Myeclipse自动生成的get set方法 自动加上文本注释,并且注释内容包含字段中我们加的文档注释
  15. Linux下ipconfig分析及C语言实现
  16. cvCreateImage
  17. m_Orchestrate learning system---mo系统权限思考
  18. golang xml和json的解析与生成
  19. VBA 判断单元格是否为公式,可用于数组
  20. instanceof用法及本质:

热门文章

  1. [hihocoder][Offer收割]编程练习赛59
  2. python--7、面向对象
  3. OC对象的本质及分类
  4. Excel常用的小技巧
  5. Embedded之Stack之二
  6. 读书笔记「Python编程:从入门到实践」_4.操作列表
  7. 读书笔记之:C++ Primer (第4版)及习题(ch12-ch18) [++++]
  8. (转)Bootstrap 之 Metronic 模板的学习之路 - (3)源码分析之 body 部分
  9. hibernate与spring整合
  10. encodeURI和encodeURIComponent的区别?