(广州大学网络空间先进技术研究院 广州 中国 510006;中国网络空间研究院 北京 中国 100010;北京邮电大学网络空间安全学院 北京 中国 100876;中国科学院信息工程研究所 北京 中国 100093;北京丁牛科技有限公司 北京 中国 100081)
关键词:  DNS窃密  数据自动生成
Automatic Data Generation of DNS-Based Exfiltration for AI-Model Training
FENG Lin,CUI Xiang,WANG Zhongru,GAN Ruiling,DIAO Jiawen,HAN Dongxu,JIANG Hai
Cyberspace Institute Advanced Technology, Guangzhou University, Guangzhou 510006, China;Chinese Academy of Cyberspace Studies, Beijing 100010, China;School of Cyberspace Secunty, Beijing University of Posts and Telecommunications, Beijing 100876, China;Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;Beijing DigApis Technology Co., Ltd, Beijing 100081, China
In recent years, it has become the favorite TTPs of many APT organizations to implement data exfiltration by taking advantage of the good concealability and penetration of DNS protocol. Therefore, it’s imperative for enterprises and institutions to establish the defense capacity to monitor DNS traffic at the network boundary so as to accurately detect the potential attack behavior. However, datasets of DNS-based APT campaigns involve lots of practical problems such as difficulty to obtain, small quantity, and low activity. Also, the available technology of data augmentation is not suitable for transplanting to such semantic sensitive field. These problems have restricted the training of AI detection models. Therefore, based on the analysis of DNS-based exfiltration mechanism, combined with a large number of real APT cases and DNS-based exfiltration tools, we propose a method that can automatically generate traffic data based on DNS -based exfiltration TTPs. We design and establish an automatic generation system named MalDNS to generate a target DNS-based exfiltration dataset with large-scale, high fidelity, and adjustable integrity. Finally, our experiments indicate that the generated dataset is effective and can support the training of the detection models effectively.
Key words:  DNS-based exfiltration  data generation