Abstract
An approach to detect covert channels (C2-channels) based on the DNS protocol is considered. It involves identifying beacon signals or certain traffic signatures, which, in turn, are indicative of malware activity. An analysis of samples of real DNS traffic is carried out followed by approximation using a known statistical distribution. The time parameters of beacon signals sent at different frequencies are modeled and the optimal (according to the Neumann–Pearson criterion) detection threshold is determined. This threshold minimizes the probability to detect a false beacon signal. The results allow improving preliminary configuration of intrusion detection systems operating on a statistical approach to analyze network traffic parameters.
Similar content being viewed by others
REFERENCES
Jeun, I., Lee, Y., and Won, D., A practical study on advanced persistent threats, Computer Applications for Security, Control and System Engineering, Kim, T., Stoica, A., Fang, W., Vasilakos, T., Villalba, J.G., Arnett, K.P., Khan, M.K., and Kang, B.-H., Eds., Communications in Computer and Information Science, vol. 339, Berlin: Springer, 2012, pp. 144–152. https://doi.org/10.1007/978-3-642-35264-5_21
Stepanova, T., Pechenkin, A., and Lavrova, D., Ontology-based big data approach to automated penetration testing of large-scale heterogeneous systems, Proc. 8th Int. Conf. on Security of Information and Networks, Sochi, Russia, 2015, New York: Association for Computing Machinery, 2015, pp. 142–149. https://doi.org/10.1145/2799979.2799995
Pavlenko, E.Yu., Yarmak, A.V., and Moskvin, D.A., Hierarchical approach to analyzing security breaches in information systems, Autom. Control Comput. Sci., 2017, vol. 51, no. 8, pp. 829–834. https://doi.org/10.3103/S0146411617080144
Zegzhda, D.P. and Stepanova, T.V., Approach to APCS protection from cyber threats, Autom. Control Comput. Sci., 2015, vol. 49, no. 8, pp. 659–664. https://doi.org/10.3103/S0146411615080179
Zegzhda, D., Zegzhda, P., Pechenkin, A., and Poltavtseva, M., Modeling of information systems to their security evaluation, Proc. 10th Int. Conf. on Security of Information and Networks, Jaipur, India, 2017, New York: Association for Computing Machinery, 2017, pp. 295–298. https://doi.org/10.1145/3136825.3136857
Zegzhda, P., Zegzhda, D., Pavlenko, E., and Ignatev, G., Applying deep learning techniques for Android malware detection, Proc. 11th Int. Conf. on Security of Information and Networks, Cardiff, UK, 2018, New York: Association for Computing Machinery, 2018, p. 7. https://doi.org/10.1145/3264437.3264476
Lampson, B.W., A note on the confinement problem, Commun. ACM, 1973, vol. 16, no. 10, pp. 613–615. https://doi.org/10.1145/362375.362389
Timonina, E.E., Analysis of threats of covert channels and methods for constructing the guaranteed protected distributed automated systems, Dr. Sci. (Eng.) Dissertation, Moscow: Russ. State Univ. for the Humanities, 2004.
Grusho, A.A., Grusho, N.A., and Timonina, E.E., The analysis of tags in covert channels, Inf. Ee Primen., 2014, vol. 8, no. 4, pp. 41–45. https://doi.org/10.14357/19922264140405
MITRE ATT&CK(tm) is a curated knowledge base and model for cyber adversary behavior…. https://attack.mitre.org/techniques/T1071/.
MAWI Working group traffic archive. http://mawi.wide.ad.jp/mawi/. Cited February 17, 2020.
Stepanov, S.N., Teoriya teletrafika. Kontseptsii, modeli, prilozheniya (Theory of Teletraffic: Concepts, Models, Applications), Moscow: Goryachaya Liniya-Telekom, 2015.
Kondratenkov, G.S. and Frolov, A.Yu., Radiovidenie. Radiolokatsionnye sistemy distantsionnogo zondirovaniya Zemli (Radiovision: Radar Systems of Earth’s Remote Sensing), Moscow: Radiotekhnika, 2005.
Author information
Authors and Affiliations
Corresponding authors
Ethics declarations
The authors declare that they have no conflicts of interest.
Additional information
Translated by V. Vetrov
About this article
Cite this article
Eremeev, M.A., Nefedov, V.S., Ostrovskii, A.S. et al. The Use of Beacon Signals to Detect Covert Channels in DNS Traffic. Aut. Control Comp. Sci. 55, 962–969 (2021). https://doi.org/10.3103/S0146411621080095
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.3103/S0146411621080095