DCC-Find: DNS Covert Channel Detection by Features Concatenation-Based LSTM

DNS (Domain Name System) plays an important role in network communication and it is rarely blocked by firewalls and intrusion detection systems (IDS). It is a suitable way for attackers to build DCC (DNS Covert Channel), which is used for data exfiltration. In recent years, some DCC detection methods have been proposed based on deep learning and there is no need for manual feature extraction. However, some expert knowledge is helpful to express the DNS characteristic. In this paper, we propose a FC-LSTM (Features Concatenation-based LSTM) model to detect DCC. The statistical features are concatenated with the output features of the LSTM model. This method makes the expression of DNS domain names more abundant. The experimental results have shown that the DCC traffic can be identified from normal traffic via this model, and the recognition rate is significantly improved compared with the traditional LSTM model and CNN model. In addition, we implement multi-classification in terms of the DCC tools (some of them are used in APT32). We also add generalization DNS packets (simulating APT34 traffic using DCC for stealing and attacking) to verify the robustness of our model. The FC-LSTM model has a good detection performance as well.