Detecting Malicious DNS over HTTPS Traffic Using Machine Learning

Singh, Sunil K.; Roy, Pradeep Kumar

doi:10.1109/3ict51146.2020.9312004

Cited by 36 publications

(21 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…over HTTPS client, server software available on https://github.com/m13253/dns-over-https have slightly different metrics, the DoH traffic characteristics are significantly different from the other HTTPS traffic. Thus, it is possible to develop accurate methods of DoH traffic identification as already presented in the literature [33,34,35] but also to identify the different software implementations of DoH servers and their deployments.…”

Section: Dnsmentioning

confidence: 99%

Measurement and characterization of DNS over HTTPS traffic

Jeřábek¹,

Ryšavý²,

Burgetová³

2022

Preprint

View full text Add to dashboard Cite

Domain name system communication may provide sensitive information on users' Internet activity. DNS-over-TLS and DNS-over-HTTPS are proposals aiming at increasing the privacy of Internet end users. In this paper we present an overview of the current state in the deployment of DNS-over-HTTPS (DoH) implementations complemented by measurements of DoH traffic in terms of the incurred overhead and the possibility of the DoH detection based on the inherent characteristics of the communication patterns.

show abstract

Section: Dnsmentioning

confidence: 99%

Measurement and characterization of DNS over HTTPS traffic

Jeřábek¹,

Ryšavý²,

Burgetová³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The authors developed machine-learning models with a hybrid set of features from a rich and diversified dataset that achieved over 99% precision in malicious DoH traffic detection. Using the "CIRA-CIC-DoHBrw-2020" dataset, three follow-up research works [26,27,105] demonstrated the effectiveness of various machine learning algorithms such as Logistic Regression (LR), Random Forest (RF), K-Nearest Neighbors (KNN), XGBoost, Light gradient boosting machine (LGBM) using 34 traffic features originally identified in [84].…”

Section: Featuresmentioning

confidence: 99%

A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference Techniques

Lyu,

Gharakheili,

Sivaraman

2022

Preprint

View full text Add to dashboard Cite

The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.CCS Concepts: • Networks → Application layer protocols; Naming and addressing; • Security and privacy → Security protocols; Malware and its mitigation.

show abstract

“…Following this, Singh et al applied several ML classifiers to detect attack activity in DoH and traditional DNS traffic [49]. They studied DoH security risks since DoH bypassed local security measures such as Firewalls and IDSs.…”

Section: Dns Traffic Analysismentioning

confidence: 99%

“…Taking all these factors into account, researchers have started to explore host-based and network-based monitoring for DoH protocol analysis [30]. To this end, some recent works have evaluated the use of Machine Learning (ML), entropy, and network packet distribution-based approaches for analyzing tunnelling and exfiltration attacks over DNS [21,34,43,49]. While some of these works focus on using DNS-specific attributes, others use traffic or malware-specific attributes.…”

Section: Introductionmentioning

confidence: 99%

Can We Detect Malicious Behaviours in Encrypted DNS Tunnels Using Network Flow Entropy?

Khodjaeva

Zincir-Heywood

Zincir

2022

JCSANDM

View full text Add to dashboard Cite

This paper explores the concept of entropy of a flow to augment flow statistical features for encrypted DNS tunnelling detection, specifically DNS over HTTPS traffic. To achieve this, the use of flow exporters, namely Argus, DoHlyzer and Tranalyzer2 are studied. Statistical flow features automatically generated by the aforementioned tools are then augmented with the flow entropy. In this work, flow entropy is calculated using three different techniques: (i) entropy over all packets of a flow, (ii) entropy over the first 96 bytes of a flow, and (iii) entropy over the first n-packets of a flow. These features are provided as input to ML classifiers to detect malicious behaviours over four publicly available datasets. This model is optimized using TPOT-AutoML system, where the Random Forest classifier provided the best performance achieving an average F-measure of 98% over all testing datasets employed.

show abstract

Detecting Malicious DNS over HTTPS Traffic Using Machine Learning

Cited by 36 publications

References 11 publications

Measurement and characterization of DNS over HTTPS traffic

Measurement and characterization of DNS over HTTPS traffic

A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference Techniques

Can We Detect Malicious Behaviours in Encrypted DNS Tunnels Using Network Flow Entropy?

Contact Info

Product

Resources

About