DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

Nuojua, Viivi; David, Gil; Hämäläinen, Timo

doi:10.1007/978-3-319-67380-6_26

Cited by 9 publications

(3 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…DNS tunneling is one of the techniques that allow creating a two-way communication channel by encoding data on both DNS queries (as part of the queried domain name) and DNS responses (in the resource record data). Various ML-based approaches have been proposed in the literature for detecting DNS tunneling, mainly using payload analysis (based on packet header fields) or traffic analysis (based on DNS session metrics) [Yassine et al, 2018] [Nadler et al, 2019] [Nuojua et al, 2017] [Yu et al, 2016. The remaining of this section discusses how those techniques can be leveraged in the proposed framework.…”

Section: The Use Case Of Data Exfiltrationmentioning

confidence: 99%

“…Each record was labeled and marked as anomalous if either the request or response contains one of the malicious domain names -therefore, this feature was not considered for any algorithm. The full list of used features, in line with previous works [Yassine et al, 2018] [ Nadler et al, 2019] [Nuojua et al, 2017] [Yu et al, 2016, is enumerated in Table 6.2. Their feature histograms, depicted in Figures 6.8, 6.9 and 6.10, show their pairwise distribution.…”

Section: The Use Case Of Data Exfiltrationmentioning

confidence: 99%

See 1 more Smart Citation

Intrusion and Anomaly Detection in Industrial Automation and Control Systems

Rosa

Cruz

Simões

et al. 2023

NOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

The completion of my dissertation would not have been possible without the valuable discussions and all the constructive criticism they provided me. In that sense, first, I would like to extend my deepest gratitude to my formal supervisors. Paulo Simões, with his experience and unique way to look at things, always encouraged me on this journey.Invariably, he gave the peace of mind I needed. Then, Edmundo Monteiro whose help and patience cannot be overestimated. In my long journey with ups and downs, whenever I requested, he had a word for me. And last but not least, I would like to express my sincere gratitude to Tiago Cruz. For the careful reader, Tiago does not appear in the first pages as my official supervisor. Nevertheless, after starting this dissertation, I was lucky enough to meet him. Since then, in the last years, I have been working closely with him and we became friends, he was always there to support me and listen to my endless complaints.More, he was kind enough to provide me his expertise and guidance as my supervisor and discuss all the technical details of this dissertation. For all of those reasons, I will always consider him one of my supervisors.Next, without getting into details to avoid being unfair, I would like to thank my friends and colleagues who really worked with me for the past years and made this journey less lonely.We called ourselves the G54 team. This was a group of young and committed researchers who developed strong relationships way beyond the normal working environment. They consistently offered their help, technical support, and push me to complete my dissertation.I'm a proud member of the G54 spirit. Likewise, I would like to extend my sincere thanks to the LCT research group which I'm also proud to be part of. Their continuous support and all the pleasant moments we get together are truly priceless.Finally, I'm deeply indebted to my family, and in particular to my wife, for the full support, motivation, love, and patience.

show abstract

Section: The Use Case Of Data Exfiltrationmentioning

confidence: 99%

Section: The Use Case Of Data Exfiltrationmentioning

confidence: 99%

Intrusion and Anomaly Detection in Industrial Automation and Control Systems

Rosa

Cruz

Simões

et al. 2023

NOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

show abstract

“…In order to avoid being identified, attackers usually build a covert channel in the form of an application-layer tunnel to implement C&C communications. Therefore, many kinds of network threats can be detected by identifying application-layer tunnels [1]. The application-layer tunnel refers to encapsulating data packets of a protocol into the payload of the data packets of an application layer protocol and is in a form of "Protocol over Protocol" [2][3][4].…”

Section: Introductionmentioning

confidence: 99%

Detection of Application-Layer Tunnels with Rules and Machine Learning

Lin

Liu

Yan

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Application-layer tunnels are often used to construct covert channels in order to transmit secret data, which is often applied to raise network threats in recent years. Detection of application-layer tunnels can assist identifying a variety of network threats, thus has high research significance. In this paper, we explore application-layer tunnel detection and propose a generic detection method by applying both rules and machine learning. Our detection method mainly consists of two parts: rule-based domain name filtering for Domain Generation Algorithm (DGA) based on a trigram model and a machine learning model based on our proposed generic feature extraction framework for tunnel detection. The rule-based DGA domain name filtering can eliminate some obvious tunnels in order to reduce the amount of data processed by machine learning-based detection, thereby, the detection efficiency can be improved. The generic feature extraction framework comprehensively integrates previous research results by combining multiple detection methods, supporting multiple layers and performing multiple feature extraction. We take the three most common application-layer tunnels, i.e., DNS tunnel, HTTP tunnel and HTTPS tunnel as examples to analyze and test our detection method. The experimental results show that the proposed method is generic and efficient, compared with other existing approaches.

show abstract

Machine Learning Techniques for Accurately Detecting the DNS Tunneling

Alkasassbeh,

Almseidin

2023

Lecture Notes in Networks and Systems

View full text Add to dashboard Cite

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

Cited by 9 publications

References 19 publications

Intrusion and Anomaly Detection in Industrial Automation and Control Systems

Intrusion and Anomaly Detection in Industrial Automation and Control Systems

Detection of Application-Layer Tunnels with Rules and Machine Learning

Machine Learning Techniques for Accurately Detecting the DNS Tunneling

Contact Info

Product

Resources

About