<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">inform</journal-id><journal-title-group><journal-title xml:lang="ru">Информатика</journal-title><trans-title-group xml:lang="en"><trans-title>Informatics</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1816-0301</issn><issn pub-type="epub">2617-6963</issn><publisher><publisher-name>UIIP NASB</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.37661/1816-0301-2020-17-3-78-86</article-id><article-id custom-type="elpub" pub-id-type="custom">inform-1057</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>ЗАЩИТА ИНФОРМАЦИИ И НАДЕЖНОСТЬ СИСТЕМ</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>INFORMATION PROTECTION AND SYSTEM RELIABILITY</subject></subj-group></article-categories><title-group><article-title>Текстовый анализ DNS запросов для защиты компьютерных сетей от эксфильтрации данных</article-title><trans-title-group xml:lang="en"><trans-title>Text analysis of DNS queries for data exfiltration protection of computer networks</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0003-0768-5746</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Бубнов</surname><given-names>Я. В.</given-names></name><name name-style="western" xml:lang="en"><surname>Bubnov</surname><given-names>Ya. V.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Бубнов Яков Васильевич, магистр технических наук, аспирант кафедры электронных вычислительных машин, факультет компьютерных систем и сетей</p><p>Минск</p></bio><bio xml:lang="en"><p>Yakov V. Bubnov, M. Sci. (Eng.), Postgraduate Student of Department of Electronic Computing Machines, Faculty of Computer Systems and Networks</p><p>Minsk</p></bio><email xlink:type="simple">girokompass@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Иванов</surname><given-names>Н. Н.</given-names></name><name name-style="western" xml:lang="en"><surname>Ivanov</surname><given-names>N. N.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Иванов Николай Николаевич, кандидат физикоматематических наук, доцент кафедры электронных вычислительных машин, факультет компьютерных систем и сетей </p><p>Минск</p></bio><bio xml:lang="en"><p>Nick N. Ivanov, Cand. Sci. (Phys.-Math.), Associate Professor of Department of Electronic Computing Machines, Faculty of Computer Systems and Networks</p><p>Minsk</p></bio><email xlink:type="simple">invanovnn@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Белорусский государственный университет информатики и радиоэлектроники.</institution></aff><aff xml:lang="en"><institution>Belarusian State University of Informatics and Radioelectronics</institution></aff></aff-alternatives><pub-date pub-type="collection"><year>2020</year></pub-date><pub-date pub-type="epub"><day>11</day><month>06</month><year>2020</year></pub-date><volume>17</volume><issue>3</issue><fpage>78</fpage><lpage>86</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Бубнов Я.В., Иванов Н.Н., 2020</copyright-statement><copyright-year>2020</copyright-year><copyright-holder xml:lang="ru">Бубнов Я.В., Иванов Н.Н.</copyright-holder><copyright-holder xml:lang="en">Bubnov Y.V., Ivanov N.N.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://inf.grid.by/jour/article/view/1057">https://inf.grid.by/jour/article/view/1057</self-uri><abstract><p>Предлагается эффективный способ защиты компьютерных сетей от эксфильтрации данных через систему доменных имен (англ. Domain Name System, DNS), которая представляет собой способ сокрытия передачи конфиденциальной информации удаленному злоумышленнику путем инкапсуляции данных в запрашиваемое доменное имя. Рассматриваются DNS-запросы, в которых передается украденная информация, c зараженного вредоносной программой узла на внешний узел, управляемый злоумышленником. Описывается подход для обнаружения подобных запросов с помощью текстовой классификации доменных имен сверточной нейронной сетью. Эффективность подхода базируется на предположении, что доменные имена, используемые для эксфильтрации данных, отличаются от доменных имен, сформированных из слов естественного языка. Для классификации запросов в сверточной нейронной сети предлагается использовать символьное встраивание с целью представления строки доменного имени. Производится оценка качества распознавания эксфильтрации данных через DNS с помощью ROC-анализа для обученной нейронной сети.</p><p>Демонстрируется архитектура программного обеспечения для развертывания обученной нейронной сети в существующую инфраструктуру DNS с целью практической защиты компьютерных сетей от эксфильтрации данных. Архитектура подразумевает формирование зон с политикой ответов для блокировки отдельных запросов, классифицируемых как вредоносные.</p></abstract><trans-abstract xml:lang="en"><p>The paper proposes effective method of computer network protection from data exfiltration by the system of domain names. Data exfiltration by Domain Name System (DNS) is an approach to conceal the transfer of confidential data to remote adversary using data encapsulation into the requesting domain name. The DNS requests that transfer stolen information from a host infected by malicious software to an external host controlled by a malefactor are considered. The paper proposes a method of detecting such DNS requests based on text classification of domain names by convolutional neural network. The efficiency of the method is based on assumption that domain names exploited for data exfiltration differ from domain names formed from words of natural language. To classify the requests in convolutional neural network the use of character embedding for representing the string of a domain name is proposed. Quality evaluation of the trained neural network used for recognition of data exfiltration through domain name system using ROC-analysis is performed.</p><p>The paper presents the software architecture used for deployment of trained neural network into existing infrastructure of the domain name system targeting practical computer networks protection from data exfiltration. The architecture implies creation of response policy zones for blocking of individual requests, classified as malicious.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>cистема доменных имен</kwd><kwd>защита компьютерных сетей</kwd><kwd>эксфильтрация данных</kwd><kwd>текстовая классификация</kwd><kwd>сверточная нейронная сеть</kwd></kwd-group><kwd-group xml:lang="en"><kwd>domain name system</kwd><kwd>computer network security</kwd><kwd>data exfiltration</kwd><kwd>text classification</kwd><kwd>convolutional neural network</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Zhong, X. Stealthy malware traffic – not as innocent as it looks / X. Zhong, Y. Fu, R. Brooks // Malicious and Unwanted Software (MALWARE) : 10th Intern. Conf., Fajardo, 20–22 Oct. 2015. – Fajardo, 2015. – P. 110–116.</mixed-citation><mixed-citation xml:lang="en">Zhong, X. Stealthy malware traffic – Not as innocent as it looks / X. Zhong, Y. Fu, R. Brooks // Malicious and Unwanted Software (MALWARE) : 10th International Conference, Fajardo 20-22 Oct 2015 – Fajardo, 2015. – P. 110-116.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">On botnets that use DNS for command and control / C. Deitrich [et al.] // Computer Network Defense : 7th European Conf. on Computer Network Defense, Gotheburg, 6–7 Sept. 2011. – Gotheburg, 2011. – P. 9–16.</mixed-citation><mixed-citation xml:lang="en">Deitrich, C. On botnets that use DNS for command and control / C. Deitrich, C. Rossow, F. Freiling, H. Bos, M. Van Steen, N. Pohlman // Computer Network Defense : 7th European Conference on Computer Network Defense, Gotheburg 6-7 Sep 2011 – Gotheburg, 2011. – P. 9-16.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Valenzuela, I. Game changer: identifying and defending against data exfiltration attempts [Electronic resource] // SANS Cyber Security Summit Archive. – 2015. – Mode of access: https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493840468.pdf. – Date of access: 15.02.2020.</mixed-citation><mixed-citation xml:lang="en">Valenzuela, I. Game Changer: Identifying and Defending Against Data Exfiltration Attempts [Electronic resource] // SANS Cyber Security Summit Archive. – Mode of access: https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493840468.pdf. – Date of access – 15.02.2020.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Bubnov, Y. DNS tunneling queries for binary classification [Electronic resource] / Y. Bubnov // Mendeley Data. – N. Y., 2019. – Vol. 1. – Mode of access: https://data.mendeley.com/datasets/mzn9hvdcxg/1. – Date of access: 15.02.2020.</mixed-citation><mixed-citation xml:lang="en">New FrameworkPOS variant exfiltrates data via DNS requests [Electronic resource] // G Data Security Blog. – Mode of access: https://www.gdatasoftware.com/blog/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests. – Date of access: 15.02.2020.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">A bigram based real time DNS tunnel detection approach / C. Qi [et al.] // Procedia Computer Science. – 2013. – Vol. 17. – P. 852–860.</mixed-citation><mixed-citation xml:lang="en">Bubnov, Y. DNS Tunneling Queries for Binary Classification / Y. Bubnov // Mendeley Data. – New York, 2019 – Vol 1.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Born, K. Detecting DNS tunneling using character frequency analysis / K. Born, D. Gustafson // Proc. of the 9th Annual Security Conf., Las Vegas, 7–8 Apr. 2010. – Las Vegas, 2010. – P. 2–3.</mixed-citation><mixed-citation xml:lang="en">Qi, C. A bigram based real time DNS tunnel detection approach / C. Qi, X. Chen, C. Xu, J. Shi, P. Liu // Procedia Computer Science, Elsevier B.V. – 2013. – Vol. 17, P. 852-860.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Nadler, A. Detection of malicious and low throughput data exfiltration over the DNS protocol / A. Nadler, A. Aminov, A. Shabtai. – 2018. – Mode of access: https://arxiv.org/abs/1709.08395. – Date of access: 15.02.2020.</mixed-citation><mixed-citation xml:lang="en">Born, K. Detecting DNS Tunneling Using Character Frequency Analysis / K. Born, D. Gustafson // Proceedings of the 9th Annual Security Conference, Las Vegas 7-8 Apr 2010. – Las Vegas, 2010, - P. 2-3.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Berg, A. Identifying DNS-tunneled Traffic with Predictive Models [Electronic resource] / A. Berg, D. Forsberg. – 2019. – Mode of access: https://arxiv.org/abs/1906.11246. – Date of access: 12.01.2020.</mixed-citation><mixed-citation xml:lang="en">Nadler, A. Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol / A. Nadler, A. Aminov, A. Shabtai // Ben-Gurion University, 2018. – P. 1-14.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Лукацкий, А. Об утечках через DNS, которые не ловит ни одна DLP [Электронный ресурс] / А. Лукацкий // Бизнес без опасности. – 2018. – Режим доступа: https://www.securitylab.ru/blog/personal/Business_without_danger/343229.php. – Дата доступа: 07.05.2020.</mixed-citation><mixed-citation xml:lang="en">Berg, A. Identifying DNS-tunneled traffic with predictive models / A. Berg, D. Forsberg // Stockholm University. – Stockholm, 2019. – P. 1-14.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Mockapetris, P. Domain names – implementation and specification [Electronic resource] / P. Mockapetris // Internet Standard, ISI. – 1987. – Mode of access: https://tools.ietf.org/html/rfc1035. – Date of access: 15.02.2020.</mixed-citation><mixed-citation xml:lang="en">Mockapetris, P. Domain names – implementation and specification / P. Mockapetris // Internet Standard, ISI. – 1987. – P. 12.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Character-aware Neural Language Models [Electronic resource] / Y. Kim [et al.]. – 2016. – Mode of access: https://arxiv.org/abs/1508.06615. – Date of access: 12.01.2020.</mixed-citation><mixed-citation xml:lang="en">Kim, Y. Character-Aware Neural Language Models / Y. Kim, Y. Jernite, D. Sontag, A. Rush // Association for the Advancement of Artificial Intelligence. – New York, 2016. – 9 p.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Watson, D. Utilizing Character and Word Embedding for Text Normalization with Sequence-to-Sequence Models [Electronic resource] / D. Watson, N. Zalmout, N. Habash. – 2019. – Mode of access: https://arxiv.org/ abs/1809.01534. – Date of access: 12.01.2020.</mixed-citation><mixed-citation xml:lang="en">Watson, D. Utilizing Character and Word Embedding for Text Normalization with Sequence-to-Sequence Models / D. Watson, N. Zalmout, N. Habash // Empirical Methods in Natural Language Processing, Hong Kong 3-7 Nov 2019 – Hong Kong, 2019. – 7 p.</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Gal, Y. A Theoretically Grounded Application of Dropout in Recurrent Neural Networks [Electronic resource] / Y. Gal, Z. Ghahraamni. – 2016. – Mode of access: https://arxiv.org/abs/1512.05287. – Date of access: 12.01.2020.</mixed-citation><mixed-citation xml:lang="en">Gal, Y. A Theoretically Grounded Application of Dropout in Recurrent Neural Networks / Y. Gal, Z. Ghahraamni // Neural Information Processing Systems, Barcelona 5-20 Dec 2016. – Barcelona, 2016 – 14 p.</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Self-normalizing Neural Networks [Electronic resource] / G. Klambauer [et al.] – 2017. – Mode of access: https://arxiv.org/abs/1706.02515. – Date of access: 12.01.2020.</mixed-citation><mixed-citation xml:lang="en">Klambauer, G. Self-Normalizing Neural Networks / G. Klambauer, T. Unterthiner, A. Mayr, S. Hochreiter // Advances in Neural Information Processing Systems, Long Beach 4-9 Dec 2017. – Long Beach, 2017. – 102 p.</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Kingma, D. Adam: a method for stochastic optimization / D. Kingma, J. Ba // 3rd Intern. Conf. for Learning Representations, San Diego, 7–9 May 2015. – San Diego, 2015. – 15 p.</mixed-citation><mixed-citation xml:lang="en">Kingma, D. Adam: A Method for Stochastic Optimization / D. Kingma, J. Ba // 3rd International Conference for Learning Representations, San Diego 7-9 May 2015. – San Diego, 2015. – 15 p.</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Nygren, E. The Akami network: a platform for high-performance internet applications / E. Nygren, Sitaraman, J. Sun // ACM SIGOPS Operating Systems Review. – 2010. – Vol. 44, iss. 3. – P. 2–19.</mixed-citation><mixed-citation xml:lang="en">Nygren, E. The Akami Network: A Platform for High-Performance Internet Applications / E. Nygren, R. Sitaraman, J. Sun // ACM SIGOPS Operating Systems Review – Amherst, 2010. – P. 2-19.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
