DNS Tunneling Detection by Cache-Property-Aware Features

Ishikura, Naotake; Kondo, Daishi; Vassiliades, Vassilis; Iordanov, Iordan; Tode, Hideki

doi:10.1109/tnsm.2021.3078428

Cited by 24 publications

(10 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The aggregation of alerts is a crucial aspect of attack prevention [40]- [42]. One singular incident, such as a gratuitous ARP or a single scan, could hint that an attack is in progress if it belongs to a sequence.…”

Section: Discussionmentioning

confidence: 99%

Cybersecurity Alert Prioritization in a Critical High Power Grid With Latent Spaces

et al. 2023

View full text Add to dashboard Cite

High-Power electric grid networks require extreme security in their associated telecommunication network to ensure protection and control throughout power transmission. Accordingly, supervisory control and data acquisition systems form a vital part of any critical infrastructure, and the safety of the associated telecommunication network from intrusion is crucial. Whereas events related to operation and maintenance are often available and carefully documented, only some tools have been proposed to discriminate the information dealing with the heterogeneous data from intrusion detection systems and to support the network engineers. In this work, we present the use of deep learning techniques, such as Autoencoders or conventional Multiple Correspondence Analysis, to analyze and prune the events on power communication networks in terms of categorical data types often used in anomaly and intrusion detection (such as addresses or anomaly description). This analysis allows us to quantify and statistically describe high-severity events. Overall, portions of alerts around 5-10% have been prioritized in the analysis as first to handle by managers. Moreover, probability clouds of alerts have been shown to configure explicit manifolds in latent spaces. These results offer a homogeneous framework for implementing anomaly detection prioritization in power communication networks.

show abstract

Section: Discussionmentioning

confidence: 99%

Cybersecurity Alert Prioritization in a Critical High Power Grid With Latent Spaces

et al. 2023

View full text Add to dashboard Cite

show abstract

“…Also, they differ from DNS redirection, which changes response records for the sake of advertisement [24,41] or censorship [5,25]. Lastly, they are not part of DNS tunneling, which carries ancillary information [19] not related to name resolution.…”

Section: Discussionmentioning

confidence: 99%

Transparent Forwarders: An Unnoticed Component of the Open DNS Infrastructure

Nawrocki,

Koch,

Schmidt

et al. 2021

Preprint

View full text Add to dashboard Cite

In this paper, we revisit the open DNS (ODNS) infrastructure and, for the first time, systematically measure and analyze transparent forwarders, DNS components that transparently relay between stub resolvers and recursive resolvers. Our key findings include four takeaways. First, transparent forwarders contribute 26% (563k) to the current ODNS infrastructure. Unfortunately, common periodic scanning campaigns such as Shadowserver do not capture transparent forwarders and thus underestimate the current threat potential of the ODNS. Second, we find an increased deployment of transparent forwarders in Asia and South America. In India alone, the ODNS consists of 80% transparent forwarders. Third, many transparent forwarders relay to a few selected public resolvers such as Google and Cloudflare, which confirms a consolidation trend of DNS stakeholders. Finally, we introduce DNSRoute++, a new traceroute approach to understand the network infrastructure connecting transparent forwarders and resolvers. CCS CONCEPTS• Networks → Public Internet; Security protocols; Network measurement; • Security and privacy → Security protocols.

show abstract

“…Wang et al (2021) abordou várias técnicas de detecção de tunelamento DNS entre 2006 e 2020, classificando parâmetros entre pacotes e fluxos DNS, assim como diferenciando os métodos de detecção entre regras, assinaturas e baseados em ML. Bai et al (2021) e Ishikura et al (2021) focaram na combinação eficiente entre seleção e extração de parâmetros identificadores de tunelamento DNS e algoritmos com o maior nível de acurácia possível. Em Chen et al (2021), houve a definição de duas categorias de parâmetros: pacotes DNS, processados em tempo real e em sessões DNS, que dispensam análise de carga útil dos pacotes, porém com alta complexidade computacional.…”

Section: Trabalhos Relacionadosunclassified

“…Time-to-live TTL: é importante que o tráfego DNS encapsulado tenha o menor TTL possível para que as solicitações ao domínio malicioso não sejam armazenadas em cache no resolvedor local, forçando altas taxas de cache miss (falha em encontrar o subdomínio nos registros do servidor resolvedor), Ishikura et al 2021.…”

Section: Seleção De Parâmetrosunclassified

See 1 more Smart Citation

Identificação De Túneis DNS Em Nuvem Computacional Usando Detecção De Anomalias

2022

Proceedings of the Ibero American Conferences on Applied Computing 2022 and WWW/Internet 2022

View full text Add to dashboard Cite

A técnica de tunelamento DNS utiliza recursos do protocolo DNS para estabelecer canais de comando e controle entre máquinas cliente e servidores remoto, podendo ser explorada para acesso não-autorizado e exfiltração de dados privados. Atualmente, os ataques de tunelamento DNS afetam sistemas multiplataforma, englobando recursos computacionais local e em nuvem. Este artigo propõe um modelo operacional de identificação de túneis DNS usando detecção de anomalias em um ambiente Amazon Web Service (AWS). Ferramentas de tunelamento DNS foram testadas para produzir requisições anômalas e construir uma base de dados integrada à pilha ELK, processando métodos de aprendizado de máquina (machine learning) não-supervisionados, para análise e detecção de atividades maliciosas. O modelo proposto resultou em altos níveis de precisão e constituiu uma evolução no contexto de segurança em nuvem para as arquiteturas corporativas.

show abstract

DNS Tunneling Detection by Cache-Property-Aware Features

Cited by 24 publications

References 25 publications

Cybersecurity Alert Prioritization in a Critical High Power Grid With Latent Spaces

Cybersecurity Alert Prioritization in a Critical High Power Grid With Latent Spaces

Transparent Forwarders: An Unnoticed Component of the Open DNS Infrastructure

Identificação De Túneis DNS Em Nuvem Computacional Usando Detecção De Anomalias

Contact Info

Product

Resources

About