A Bigram based Real Time DNS Tunnel Detection Approach

Cheng, Qi; Chen, Xiaojun; Cui, Xu; Shi, Jinqiao; Liu, Peipeng

doi:10.1016/j.procs.2013.05.109

Cited by 53 publications

(32 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The inherent advantages and drawbacks of anomaly-based detection have been summarized at the end of Section 2.1, and an example is reported in the performance evaluation. Other approaches are based on character frequency analysis of the domain names [26,28]. More specifically, the tool of [27] detects DNS tunneling by exploiting a neural network whose inputs include information about the used domain names.…”

Section: Related Literaturementioning

confidence: 99%

See 1 more Smart Citation

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Aiello

Mongelli

Papaleo

2014

Int J Communication

View full text Add to dashboard Cite

The use of covert-channel methods to bypass security policies has increased considerably in the recent years. Malicious users neutralize security restriction by encapsulating protocols like peer-to-peer, chat or http proxy into other allowed protocols like Domain Name Server (DNS) or HTTP. This paper illustrates a machine learning approach to detect one particular covert-channel technique: DNS tunneling.Despite packet inspection may guarantee reliable intrusion detection in this context, it may suffer of scalability performance when a large set of sockets should be monitored in real time. Detecting the presence of DNS intruders by an aggregation-based monitoring is of main interest as it avoids packet inspection, thus preserving privacy and scalability. The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes. The analysis is complicated by two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field).Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and by making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. An insightful analysis of the performance leads to discover a unique intrusion detection tool, applicable in the presence of different tunneled applications. ¶ The n s with an order of magnitude more (n s D 10 4 ) captures features with a higher measurement stability, thus allowing to reach the steady state after K=811 samples.

show abstract

Section: Related Literaturementioning

confidence: 99%

“…More specifically, the tool of [27] detects DNS tunneling by exploiting a neural network whose inputs include information about the used domain names. Other approaches are based on character frequency analysis of the domain names [26,28].…”

Section: Related Literaturementioning

confidence: 99%

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Aiello

Mongelli

Papaleo

2014

Int J Communication

View full text Add to dashboard Cite

show abstract

“…The domain names used by Pisloader are not random-like, which is why Pisloader would stay undetected. Same goes for the detection technique presented in [26], although they better their detection possibilities by dividing data into training and classification parts, and by providing good performance metrics results. A DNS tunneling detection technique that would possibly detect the Pisloader malware is introduced in [28,29].…”

Section: Theoretical Comparison Of Dns Tunneling Detection Techniquesmentioning

confidence: 97%

“…Character frequency analysis was used for detecting DNS tunnels in [26] too. The key idea of their approach is the score mechanism, which is able to separate normal and tunnel domain names based on bigram character frequency in real-time.…”

Section: Payload Inspectionmentioning

confidence: 99%

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

Nuojua

David

Hämäläinen

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Domain Name System (DNS) plays an important role as a translation protocol in everyday use of the Internet. The purpose of DNS is to translate domain names into IP addresses and vice versa. However, its simple architecture can easily be misused for malicious activities. One huge security threat concerning DNS is tunneling, which helps attackers bypass the security systems unnoticed. A DNS tunnel can be used for three purposes: as a command and control channel, for data exfiltration or even for tunneling another protocol through it. In this paper, we surveyed different techniques for DNS tunneling detection. We classified those first based on the type of data and then within the categories based on the type of analysis. We conclude with a comparison between the various detection techniques. We introduce one real Advanced Persistent Threat campaign that utilizes DNS tunneling, and theoretically compare how well the surveyed detection techniques could detect it.

show abstract

“…Detection of DNS Tunnels: There are some proposed methods for detecting DNS tunneling within a network by using the n-gram analysis [6], [17]. They presented promising results in terms of detecting the tunnels.…”

Section: Related Workmentioning

confidence: 99%

Characterization of Covert Channels in DNS

Binsalleeh

Kara²,

Youssef

et al. 2014

2014 6th International Conference on New Technologies, Mobility and Security (NTMS)

View full text Add to dashboard Cite

Malware families utilize different protocols to establish their covert communication networks. It is also the case that sometimes they utilize protocols which are least expected to be used for transferring data, e.g., Domain Name System (DNS). Even though the DNS protocol is designed to be a translation service between domain names and IP addresses, it leaves some open doors to establish covert channels in DNS, which is widely known as DNS tunneling. In this paper, we characterize the malicious payload distribution channels in DNS. Our proposed solution characterizes these channels based on the DNS query and response messages patterns. We performed an extensive analysis of malware datasets for one year. Our experiments indicate that our system can successfully determine different patterns of the DNS traffic of malware families.

show abstract

A Bigram based Real Time DNS Tunnel Detection Approach

Cited by 53 publications

References 4 publications

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

Characterization of Covert Channels in DNS

Contact Info

Product

Resources

About