Home > OS >  Introduction to the DNS protocol value 2
Introduction to the DNS protocol value 2

Time:10-11

Working principle of the DNS protocol go ~ ~ ~
Known intrusion detection of three models: Kill Chain killing Chain, Diamond Model, Diamond Model, MITRE ATT& CK?????? , which Kill Chain Kill Chain model can be split each attack stage of the malicious software to identify and stop function, attack phase is divided into seven, reconnaissance, weaponization, deployment, attack phase, the back door into phase, remote control stage, stage of * * *, after which the use of the DNS related has three stages:
Weaponization phases: prepare 0 - day attack content, and use the DGA to generate the DNS domain name to support subsequent attack;
Attack stage: guiding by the attacker to download and execute Payload (download content may be related to domain URL);
Remote control stage: establishing C& C channel, receive instruction, began to * * * (establish a heartbeat, C& C channel and related to domain name);

The DGA method is applied more widely, its purpose is to use the DGA algorithm to generate domain, through a charged the same calculation, produce a large number of domain name, confusing, links to the cloud, the control end of the command control or data transmission, that how to detect the DGA domain name? At present there are two common ways:
1, threat intelligence test
Threat intelligence detection using big data is the rise of technology in recent years, the threat detection and safety operation occupies more and more heavy scenes, its detection precision is completely depends on the quality of threat information, intelligence and threat depends on the quality of the data, so a clattering as international companies, companies such as cisco, and 360 domestic, ali, tencent, etc., especially focus on the safety of 360, all have the advantage in this respect,
2, the machine learning algorithm to detect
Machine learning algorithms in the field of threat detection is widely used in recent years, its main make traditional IDS characteristics up, and unknown threats and detect abnormal behavior, to detect the DGA is also very effective, although there are some false positives, but still is one of the better way,

Whether it is a common blackmail virus, Trojan or high-end APT attacks, malicious code usually use the DGA method, through the DNS traffic monitoring, can effectively find these threats,
  • Related