Abstract:DNS(domain name system) is an important part of the Internet infrastructure. DNS data is not generally intercepted by network security defense devices such as firewalls. Having the characteristics of strong penetration and concealment, the covert channel based on DNS protocol has become a common means of command control and data transmission for attackers. The existing studies lack detection techniques or methods for DNS covert channel in real APT(advanced persistent threat) attacks. Besides, the extracted features are not comprehensive enough. In order to deeply analyze attack traffic and behavior characteristics, this paper modeled DNS covert communication in real APT attacks based on finite state machines. Firstly, the construction mechanism of DNS covert channel under APT attack scenario was analyzed, and its data interaction process was described in detail. Secondly, the DNS covert communication mechanism was summarized and analyzed, and the communication model was established based on the finite state machine. It was proposed that there were seven states in the communication process, such as close, connect, command query and command transfer, and the transmission of different types of messages, such as the control messages and data messages, would trigger the state transfer. Finally, the leaked Glimpse tool was used to simulate DNS covert communication under real APT attack, and malicious samples such as Helminth were combined to verify the applicability and rationality of the model, so as to provide a real and sufficient basis for manual feature extraction.