Cache-Property-Aware Features for DNS Tunneling Detection

Ishikura, Naotake; Kondo, Daishi; Iordanov, Iordan; Vassiliades, Vassilis; Tode, Hideki

doi:10.1109/icin48450.2020.9059472

Cited by 7 publications

(3 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…DNS tunnelling can be employed for many purposes, such as carrying data for the packets of DNS [45]. The attacker exploits DNS tunnelling to exfiltrate data from the enterprises hacked into [56]. When the attacker bypasses the edge firewall of the enterprise, the tunnel can be used to execute a command or copy data through the domain name exploit in DNS queries and similar DNS replies [57].…”

Section: Protocol Abuse Attacksmentioning

confidence: 99%

A Comprehensive Review of DNS-based Distributed Reflection Denial of Service (DRDoS) Attacks: State-of-the-Art

Nuiaa¹,

Manickam²,

ALsaeedi³

2022

Int. J. Adv. Sci. Eng. Inf. Technol.

View full text Add to dashboard Cite

Cyberattacks significantly impact the services based on the internet that is used in our daily lives. Any disruption will make it extremely difficult for us to carry out our daily activities. Cyberattacks will disrupt online services, exploit vulnerabilities to breach databases and servers, and so on. Various systems and services contribute to the Internet's seamless functionality. The Domain Name System (DNS) is one of the most important services. DNS is used to resolve domain names into machine-readable IP addresses. DNS, like many other Internet services, is vulnerable to cyber-attacks. While DNS faces a slew of threats, one in particular appears to stand out. DNS is vulnerable to a variety of distributed denial-of-service attacks. The distributed reflection denial of service (DRDoS) attack, a flooding attack against DNS servers that renders them unavailable, disrupting domain name resolution activities, is one of the most common variants. DRDoS attacks have been on the rise in recent years. DNS lookup outages would significantly impact our online activities in the world of ultra-connectivity because they are typically the first step in establishing a connection with a server. The purpose of this paper is to present a state-of-the-art review of DRDoS attack detection and mitigation algorithms as well as the datasets on which these algorithms operate. Finally, we discussed each of these algorithms' relative merits and demerits.

show abstract

Section: Protocol Abuse Attacksmentioning

confidence: 99%

A Comprehensive Review of DNS-based Distributed Reflection Denial of Service (DRDoS) Attacks: State-of-the-Art

Nuiaa¹,

Manickam²,

ALsaeedi³

2022

Int. J. Adv. Sci. Eng. Inf. Technol.

View full text Add to dashboard Cite

show abstract

“…To the best of our knowledge, our previous work [1] was the first to analyze cache-property-aware features, and this paper is an extended version. We extend the previous work with the following contributions:…”

Section: Introductionmentioning

confidence: 99%

DNS Tunneling Detection by Cache-Property-Aware Features

Ishikura

Kondo

Vassiliades

et al. 2021

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

Many enterprises are under threat of targeted attacks aiming at data exfiltration. To launch such attacks, in recent years, attackers with their malware have exploited a covert channel that abuses the domain name system (DNS) named DNS tunneling. Although several research efforts have been made to detect DNS tunneling, the existing methods rely on features that advanced tunneling techniques can easily obfuscate by mimicking legitimate DNS clients. Such obfuscation would result in data leakage. To tackle this problem, we focused on a "trace" left by DNS tunneling that cannot be easily hidden. In the context of data exfiltration by DNS tunneling, the malware connects directly to the DNS cache server and the generated DNS tunneling queries produce cache misses with absolute certainty. In this study, we propose a DNS tunneling detection method based on the cache-property-aware features. Our experiments show that one of the proposed features can efficiently characterize the DNS tunneling traffic. Furthermore, we introduce a rule-based filter and a long short-term memory (LSTM)-based filter using this proposed feature. The rule-based filter achieves a higher rate of DNS tunneling attack detection than the LSTM one, which instead detects the attack more quickly, while both maintain a low misdetection rate.

show abstract

“…Security threats take different forms, but one of these form is taking the advantage of domain name system (DNS) protocol for passing dangerous and malicious procedures, this attack attempt is known as DNS tunneling [1]. DNS is characterized by its simplicity where it intends to offer a straightforward way for accessing particular server through the domain name instead of the IP address [2][3][4][5]. Because of its simplicity, attackers attempt to use it for creating a tunnel to execute malicious scripts that intended to capture confidential information, gaining a super access, or attempting to harm the server [6].…”

Section: Introductionmentioning

confidence: 99%

A hybrid method of genetic algorithm and support vector machine for DNS tunneling detection

Al-Ibraheemi

AL-Ibraheemi²,

Amintoosi

2021

IJECE

View full text Add to dashboard Cite

With the expansion of the business over the internet, corporations nowadays are investing numerous amounts of money in the web applications. However, there are different threats could make the corporations vulnerable for potential attacks. One of these threats is harnessing the domain name protocol for passing harmful information, this kind of threats is known as DNS tunneling. As a result, confidential information would be exposed and violated. Several studies have investigated the machine learning in order to propose a detection approach. In their approaches, authors have used different and numerous types of features such as domain length, number of bytes, content, volume of DNS traffic, number of hostnames per domain, geographic location and domain history. Apparently, there is a vital demand to accommodate feature selection task in order to identify the best features. This paper proposes a hybrid method of genetic algorithm feature selection approach with the support vector machine classifier for the sake of identifying the best features that have the ability to optimize the detection of DNS tunneling. To evaluate the proposed method, a benchmark dataset of DNS tunneling has been used. Results showed that the proposed method has outperformed the conventional SVM by achieving 0.946 of f-measure

show abstract

Cache-Property-Aware Features for DNS Tunneling Detection

Cited by 7 publications

References 11 publications

A Comprehensive Review of DNS-based Distributed Reflection Denial of Service (DRDoS) Attacks: State-of-the-Art

A Comprehensive Review of DNS-based Distributed Reflection Denial of Service (DRDoS) Attacks: State-of-the-Art

DNS Tunneling Detection by Cache-Property-Aware Features

A hybrid method of genetic algorithm and support vector machine for DNS tunneling detection

Contact Info

Product

Resources

About