DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal‐spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.

中文翻译：

---

基于回归分析的DNS隧道中混合流量的精细识别

DNS（域名系统）隧道几乎掩盖了用户的真实网络活动，这给网关或检查设备识别恶意或未经许可的网络行为带来了挑战。解决此问题的有效方法是对隧道流量进行时空分析。但是，当前有关此主题的研究将DNS隧道限制为具有单个协议的DNS隧道，而可以同时使用多个协议。在本文中，我们集中于DNS隧道中混合的两种协议的精确识别。首先从DNS查询和响应流派生功能集，然后将其与深度神经网络合并以构建回归模型。我们使用捕获的DNS隧道流量对建议的方法进行基准测试，实验结果表明，该方案可以达到90％以上的识别精度。据我们所知，所提出的方案是第一个估计DNS隧道中两种混合协议的比率的方案。