刘峰,龚国芳,石元奇,朱北斗

DOI: https://doi.org/10.3785/j.issn.1006-754x.2010.04.013

2010-01-01

Journal of Engineering Design

Abstract:According to data monitoring and automation requirements of shield construction,the monitoring system of shield machine based on industrial network architecture is designed by a combinative model of centralized monitoring and distributed control,then the structural characteristics of the hardware and software of the monitoring system was analysed in detail.Aimed at the earth pressure balance technology in the monitoring progress of the shield,the expertise database based on experimental data of different stratum has been established by the adaptive control method based on the soil identification to achieve the adaptive control of earth pressure in the process of shield tunneling.The monitoring software programs are developed by the combination of LabVIEW and Matlab,and the results show that the human-machine interface of the monitoring system with good maneuverability and high security and reliability is intuitive.

Fei Wang,Liusheng Huang,Zhili Chen,Haibo Miao,Wei Yang

DOI: https://doi.org/10.1007/978-3-319-04283-1_15

2014-01-01

Abstract:The web tunnel is a common attack technique in the Internet and it is very easy to be implemented but extremely difficult to be detected. In this paper, we propose a novel web tunnel detection method which focuses on protocol behaviors. By analyzing the interaction processes in web communications, we give a scientific definition to web sessions that are our detection objects. Under the help of the definition, we extract four first-order statistical features which are widely used in previous research of web sessions. Utilizing the packet lengths and inter-arrival times in the transport layer, we divide TCP packets into different classes and discover some statistical correlations of them in order to extract another three second-order statistical features of web sessions. Further, the seven features are regarded as a 7-dimentional feature vector. Exploiting the vector, we adopt a support vector machine classifier to distinguish tunnel sessions from legitimate web sessions. In the experiment, our method performs very well and the detection accuracies of HTTP tunnels and HTTPS tunnels are 82.5% and 91.8% respectively when the communication traffic is above 500 TCP packets.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

Yubo He,Yuefei Zhu,Wei Lin

DOI: https://doi.org/10.1088/1742-6596/1187/4/042055

2019-04-01

Journal of Physics: Conference Series

Abstract:Aiming at reducing the high False Negative rate of the existing Trojan horse detection method based on behavior, this paper utilized the sequence characteristics of tunnel Trojan communication extracted from the transport layer and the bi-directional recurrent neural network in deep learning to build a HTTP tunnel Trojan detection model. The experimental result showed that the deep learning-based detection model reduced the false positive rate of normal network traffic and improved the Trojan detection rate. We also found that the deep learning-based detection model reduced the feature selecting and data cleaning process of generating samples and improved the easy-using of the HTTP tunnel Trojan detection model.

Ting Liu,Xiaohong Guan,Qinghua Zheng,Ke Lu,Yuanfeng Song,Weizhang Zhang

DOI: https://doi.org/10.1109/CCNC.2009.4785028

2010-01-01

Abstract:This paper presents a novel Trojan detection and defense system. The prototype searches the important files which contain users' confidential information on the disk. And then, these files will be monitored to find which processes will access them by capturing and analyzing the IRPs (I/O Request Packets). The processes of Trojans will be distinguished from regular ones by evaluating their API-calls with several machine-learning models, rather than traditional signature-based mechanism. Testing results show that this prototype could detect and defend the unknown Trojans quickly and accurately.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Jun Xiao,Yipeng Wang

DOI: https://doi.org/10.1109/NAS.2012.10

2012-01-01

Abstract:Because of the widespread Trojan, Internet users become more and more vulnerable to the threat of information leakage. Traditional techniques of Trojan detection were classified into two main categories: host-based and network-based. Unfortunately, existing techniques are insufficient and limited, because of the following reasons: (1)only uncover the known Trojan while inefficiently detecting novel samples, (2) should be adjusted in a timely fashion even a trivial change is applied, and (3)become computationally more expensive. In our work, we focus on a network behavior based method to address the limitations of previous network-based approaches. We analyze the profile of network behavior at two levels: (i)flow-level, (ii)IP-level. Our approach present two main advantages: (1)capture more detailed information to describe the network behavior profile, (2)consume lower computational overhead. We proposed a system, Manto, which detects Trojan communication with high accuracy using clustering technique. We implement Manto on real-world traces. The evaluation results exhibit that Manto is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 91% accuracy and less than 3.2% false positive ratio. We confidently regard our approach as a complementary way to the existing network-based techniques for we could address their main shortcomings.

Filippo Sobrero,Beatrice Clavarezza,Daniele Ucci,Federica Bisio

2023-09-22

Abstract:In the very last years, cybersecurity attacks have increased at an unprecedented pace, becoming ever more sophisticated and costly. Their impact has involved both private/public companies and critical infrastructures. At the same time, due to the COVID-19 pandemic, the security perimeters of many organizations expanded, causing an increase of the attack surface exploitable by threat actors through malware and phishing attacks. Given these factors, it is of primary importance to monitor the security perimeter and the events occurring in the monitored network, according to a tested security strategy of detection and response. In this paper, we present a protocol tunneling detector prototype which inspects, in near real time, a company's network traffic using machine learning techniques. Indeed, tunneling attacks allow malicious actors to maximize the time in which their activity remains undetected. The detector monitors unencrypted network flows and extracts features to detect possible occurring attacks and anomalies, by combining machine learning and deep learning. The proposed module can be embedded in any network security monitoring platform able to provide network flow information along with its metadata. The detection capabilities of the implemented prototype have been tested both on benign and malicious datasets. Results show 97.1% overall accuracy and an F1-score equals to 95.6%.

Cryptography and Security

Yue Wang,Anmin Zhou,Shan Liao,Rongfeng Zheng,Rong Hu,Lei Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108322

IF: 5.493

2021-10-01

Computer Networks

Abstract:<p>Domain Name System (DNS) tunnels, established between the controlled host and master server disguised as the authoritative domain name server, can be used as a secret data communication channel for malicious activities. Owing to the ready evasion of the DNS traffic to bypass the network security mechanism, DNS tunnelling can cause severe damage. Thus, an in-depth and comprehensive understanding of the various detection technologies is of considerable importance when facing this type of threat. However, most of the existing reviews focus on a single aspect of the DNS tunnel detection technologies, such as methods based on machine learning, traffic, and payload analysis. In addition, few studies have conducted comprehensive investigation that includes a sequentially integrated range of literature in this researchfield, or have analysed the latest literature on DNS tunnels. This paper reviews these detection technologies from a novel perspective of rule-based and model-based methods with descriptions and analyses of the DNS-based tools and their corresponding features. To the best of our knowledge, this is the first study to comprehensively discuss and analyse DNS tunnel detection in a novel and specific classification fashion from various aspects in detail, covering almost all the detection methods developed from 2006 to 2020. Furthermore, a comparative analysis of detection methods and several suggestions for future research directions are presented.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yang Ping,Li Xiaorun

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.06.034

2012-01-01

Abstract:Real-time tunnel traffic safety monitoring system is an important means to ensure secure operation of tunnel.Aiming at the particularity of the environment in tunnel,a vehicle detection algorithm based on accumulation of difference depth matrix and a vehicle tracking algorithm based on Kalman filter are proposed,by which the detection and tracking of multiple moving vehicles are achieved.An intelligent tunnel traffic safety monitoring system based on video detection processing is designed in this paper using the techniques of image processing,computer vision,pattern recognition and software engineering,etc.The system can accurately detect various traffic operation parameters and traffic events,and provide strong guarantee for tunnel traffic safety.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Yi Pang,Tao Yin

DOI: https://doi.org/10.1109/ICCT.2012.6511272

2012-01-01

Abstract:Most existing approaches for detecting Trojan are limited for obfuscation and encryption techniques. In this paper, we present a network behavior analysis designed to address the limitations of previously-proposed approaches. Our solution considered not only transport layer characteristics but also network layer characteristics. The approach in this paper exhibits two major advantages: (1) can better represent Trojan network behavior, and (2) performed at very low computational cost. Based on clustering technique, we proposed a detection model that detects Trojan communication with high accuracy. We implement the model on real-world traces. The experiments show that our model is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 90% accuracy and less than 3.5% false positive rate. We confidently consider that our detection approach is complementary to the existing techniques.

Qi-wei WU,Yong SHI,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1009-8054.2015.12.067

2015-01-01

Abstract:With the development of Internet and information security, there appears a new attack method:ATP (Advanced Persis￣tent Threat). At the last stage of APT, when wanting to steal sensitive data from victimized network, the attacker may use covert tun￣nel. Virtual private networks are point-to-point connections across a private or public network such as Internet. VPN has always been considered safe in the past few years, but in fact, it may also bring a lot of potential safety hazards. For example, the attacker may take advantage of virtual private network, and make it an APT covert tunnel for transmitting sensitive data. In view of such a double-edged sword, it is necessary to find a way for detecting malignant virtual private network and preventing the existence of APT covert tunnel.

Johan Mazel,Matthieu Saudrais,Antoine Hervieu

DOI: https://doi.org/10.48550/arXiv.2201.10371

2022-01-25

Cryptography and Security

Abstract:Encrypted tunneling protocols are widely used. Beyond business and personal uses, malicious actors also deploy tunneling to hinder the detection of Command and Control and data exfiltration. A common approach to maintain visibility on tunneling is to rely on network traffic metadata and machine learning to analyze tunnel occurrence without actually decrypting data. Existing work that address tunneling protocols however exhibit several weaknesses: their goal is to detect application inside tunnels and not tunnel identification, they exhibit limited protocol coverage (e.g. OpenVPN and Wireguard are not addressed), and both inconsistent features and diverse machine learning techniques which makes performance comparison difficult. Our work makes four contributions that address these limitations and provide further analysis. First, we address OpenVPN and Wireguard. Second, we propose a complete pipeline to detect and classify tunneling protocols and tunneled applications. Third, we present a thorough analysis of the performance of both network traffic metadata features and machine learning techniques. Fourth, we provide a novel analysis of domain generalization regarding background untunneled traffic, and, both domain generalization and adversarial learning regarding Maximum Transmission Unit (MTU).

Guangyuan Gao,Weina Niu,Jiacheng Gong,Dujuan Gu,Song Li,Mingxue Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1109/tifs.2024.3443596

IF: 7.231

2024-08-24

IEEE Transactions on Information Forensics and Security

Abstract:DNS tunnels, due to their versatility and concealment, have become a preferred method for attackers to execute Command and Control (C&C) attacks, posing a significant security threat to terminal devices. Therefore, the efficient and accurate detection of DNS tunnels is important in reducing the economic losses and privacy risks faced by both enterprises and individuals. Despite notable advancements in the research of intelligent detection of DNS tunnels, existing model-based approaches predominantly concentrate on the surface-level features of domain names or packet payloads. This narrow focus leads to low detection accuracy when dealing with unknown DNS tunnel attacks and traffic from wildcard DNS. Furthermore, these methods struggle with accurately identifying DNS tunneling tools, complicating the task of swiftly locating and mitigating malware for analysts. This paper proposes GraphTunnel, a framework based on graph neural networks for detecting DNS tunnels and identifying tunneling tools. It delves into the correlations among DNS resolutions to construct paths that represent the recursive resolution process of DNS. By using central nodes that denote the gateways, these paths are connected and transformed into graph structures. Concurrently, it employs GraphSage to aggregate the features of nodes and their edges in the graph, enabling effective detection of DNS tunnels. Additionally, GraphTunnel utilizes the G2M algorithm to capture the statistical features of nodes in the graph and maps them into grayscale images, which are then processed by a CNN for multi-class identification of DNS tunneling tools. Experimental results demonstrate that in non-wildcard DNS scenarios, GraphTunnel achieves a 100% accuracy in DNS tunnel detection, encompassing unknown DNS tunnels. Even in high false-positive environments caused by wildcard DNS, GraphTunnel maintains an F1-Score of 99.78%. Moreover, GraphTunnel can identify DNS tunneling tools with an accuracy rate exceeding 98.57%, enhancing the rapid mitigation capabilities of emergency responders in dealing with malicious DNS tunnels.

computer science, theory & methods,engineering, electrical & electronic

Jiang Xie,Shuhao Li,Yongzheng Zhang,Xiaochun Yun,Jia Li

DOI: https://doi.org/10.48550/arXiv.2309.01174

2023-09-03

Networking and Internet Architecture

Abstract:Trojans are one of the most threatening network attacks currently. HTTP-based Trojan, in particular, accounts for a considerable proportion of them. Moreover, as the network environment becomes more complex, HTTP-based Trojan is more concealed than others. At present, many intrusion detection systems (IDSs) are increasingly difficult to effectively detect such Trojan traffic due to the inherent shortcomings of the methods used and the backwardness of training data. Classical anomaly detection and traditional machine learning-based (TML-based) anomaly detection are highly dependent on expert knowledge to extract features artificially, which is difficult to implement in HTTP-based Trojan traffic detection. Deep learning-based (DL-based) anomaly detection has been locally applied to IDSs, but it cannot be transplanted to HTTP-based Trojan traffic detection directly. To solve this problem, in this paper, we propose a neural network detection model (HSTF-Model) based on hierarchical spatiotemporal features of traffic. Meanwhile, we combine deep learning algorithms with expert knowledge through feature encoders and statistical characteristics to improve the self-learning ability of the model. Experiments indicate that F1 of HSTF-Model can reach 99.4% in real traffic. In addition, we present a dataset BTHT consisting of HTTP-based benign and Trojan traffic to facilitate related research in the field.

ZHANG Chen,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.02.023

2011-01-01

Abstract:Today's popular Trojans begin to use covert communication technology and bypass the detection of honeypot system.This paper first describes the common Trojan covert communication technologies and the growing popular kernel layer Rootkit covert communication technology,then discusses the current client honeypot detecting methods for malware.Aiming at the deficiency of Honeypot detection mechanisms for network communication,an effective improvement scheme is proposed,By using network traffic detection technology based on the NDIS intermediate driver,the Trojans date packets are acquired.This scheme could effectively detect Rootkit covert communication based on network driver and extract the key communication information for Trojan track and analysis.

Qi Liu,Guangyin Lu,Junrong Huang,Dongxin Bai

DOI: https://doi.org/10.1080/19475705.2020.1797906

2020-01-01

Geomatics, Natural Hazards and Risk

Abstract:<span>Along with the development of computer science and communication techniques, tunnel monitoring has been digital and intellectualized gradually. In recent years, traditional tunnel monitoring systems have been becoming powerless to deal with huge amounts of data as the number of tunnels and monitoring sensors surge. In this study, an innovative and comprehensive intelligent tunnel monitoring system was designed based on micro-service architecture. Various function modules were distributed to multiple service instances to get the computing pressure decentralized. The system offered powerful massive data processing support, flexibility, and extensibility. For a certain tunnel, the system could acquire the monitoring data in real-time using wireless sensors deployed on its surface. When data reached the early warning threshold, the system would immediately transmit the warning message to users. Besides, an app was developed to offer support for wireless communication between the monitoring apparatus and watchers. The application of the Anping case, one of the monitoring targets, proved the high efficiency of data transmitting and effective emergency response of the developed system. The results indicated that the microservice architecture could facilitate algorithm development, decentralize calculation pressure, and promote the service capacity by decoupling components and distributing loads.</span>

Zheng Wang

DOI: https://doi.org/10.48550/arXiv.1605.01401

2016-05-04

Cryptography and Security

Abstract:This paper proposes a defense scheme against malicious use of DNS tunnel. A tunnel validator is designed to provide trustworthy tunnel-aware defensive recursive service. In addition to the detection algorithm of malicious tunnel domains, the tunnel validation relies on registered tunnel domains as whitelist and identified malicious tunnel domains as blacklist. A benign tunnel user is thus motivated to register its tunnel domain before using it. Through the tunnel validation, the secure domains are allowed to the recursive service provided by the tunnel validator and the insecure domains are blocked. All inbound suspicious DNS queries are recorded and stored for forensics and future malicious tunnel detection by the tunnel validator.

Jiang Xie,Shuhao Li,Xiaochun Yun,Yongzheng Zhang,Peng Chang

DOI: https://doi.org/10.1016/j.cose.2020.101923

IF: 5.105

2020-01-01

Computers & Security

Abstract:HTTP-based Trojan is extremely threatening, and it is difficult to be effectively detected because of its concealment and confusion. Previous detection methods usually are with poor generalization ability due to outdated datasets and reliance on manual feature extraction, which makes these methods always perform well under their private dataset, but poorly or even fail to work in real network environment. In this paper, we propose an HTTP-based Trojan detection model via the Hierarchical Spatio-Temporal Features of traffics (HSTF-Model) based on the formalized description of traffic spatio-temporal behavior from both packet level and flow level. In this model, we employ Convolutional Neural Network (CNN) to extract spatial information and Long Short-Term Memory (LSTM) to extract temporal information. In addition, we present a dataset consisting of Benign and Trojan HTTP Traffic (BTHT-2018). Experimental results show that our model can guarantee high accuracy (the F1 of 98.62% ~ 99.81% and the FPR of 0.34% ~ 0.02% in BTHT-2018). More importantly, our model has a huge advantage over other related methods in generalization ability. HSTF-Model trained with BTHT-2018 can reach the F1 of 93.51% on the public dataset ISCX-2012, which is 20+% better than the best of related machine learning methods.

Yu Cui,Zhi-Hong Tian,Bin-Xing Fang,Hong-Li Zhang,Wei-Zhe Zhang

DOI: https://doi.org/10.1587/transcom.e96.b.2875

2013-01-01

IEICE Transactions on Communications

Abstract:Tunneling is one of the main methods for the transition from IPv4 to IPv6 networks. By encapsulating IPv6 packets in IPv4 or UDP packets, tunnels like 6to4, Isatap and Teredo provide a feasible way for IPv4 hosts to establish IPv6 connections to hosts in IPv6 interne or IPv6 islands. For IPv4 internet, the use of tunnels varies the traffic and increases the type of packets, making the network environment more complex. In addition to common tunnels, various types of tunnels with more layers are tested in this paper. The results of successful connections prove the usefulness of multi-layer packets with diverse layer-count and type on the interne. To ensure the security of internal networks, the influence on traffic analysis in dual-stack IDS devices caused by the diversity is studied. Three spoofing attacks of "data insertion", "data evasion" and "attacks using UDP" are proposed to show the influence on IDS caused by tunnels. Compared to the attacks without tunnels, some constraining factors are eliminated, which may increase the security risk of IDS and decrease the attacker's difficulties. To summarize this kind of problem, the concept of "Tunnel Interference" is revealed. And as solutions to this problem, two methods, RA (Record All) and HEH (Hash for Each Header), are presented in this paper which theoretically solve these problems to a great extent. RA records all headers and compares from the outermost to innermost layer. HEH is hash-based and accumulates hash values of each header. Both of them have linear time and space complexity. Experimental results show that RA and HEH will lead to minor space increase and up to 1.2% time increment in each layer compared to the original dual-stack.

Cai Hongmin,Wu Naiqi,Teng Shaohua

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.05.076

2012-01-01

Abstract:Networks attack means emerge endlessly along with the growing serious network security problems.As a kind of main malicious code,Trojan horse program brings great troubles to computer users in the areas of infringing personal privacies and remotely monitoring the computers of others,etc.The authors implement a distributed Trojan horse program detection system by applying the deep packet inspection technology to the detection of Trojan horse program,we use regular expression to match the attack mode in detecting the Trojan horse program,therefore have strengthened the security of networks.