DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Aiello, Maurizio; Mongelli, Maurizio; Papaleo, Gianluca

doi:10.1002/dac.2836

Cited by 57 publications

(45 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This paper shares with the literature, , and the other papers mentioned in the previous section concerning SABID, not only the idea of detecting something by using statistical analysis. For instance “looking at simple statistical properties of protocol messages, such as statistics of packet inter‐arrival times and of packets sizes” may be useful to perform monitoring actions. “The key idea is that the information carried by packets at the network layer, such as packet‐size and inter‐arrival time between consecutive packets, are enough to infer the nature of the application protocol that generated those packets.” This sentence, referred in the work of Dusi et al to tunnels, may be literally applied to malware in this paper.…”

Section: Statistical Fingerprint‐based Intrusion Detection System—sf‐idssupporting

confidence: 60%

“…As far as statistical analysis based detection, 2 papers are particularly meaningful for the topic of this paper, even if they are not strictly related to malware detection: the works of Dusi et al and Aiello et al Both contributions are aimed at detecting application‐layer tunnels throughout statistical fingerprints. Dusi et al presents a statistical classification mechanism called Tunnel Hunter devoted to recognize a generic application protocol tunneled on top of HTTP or of SSH.…”

Section: State Of the Artmentioning

confidence: 99%

“…The accuracy is 100 % for HTTP tunnels and above 99 % for SSH ones. Aiello et al aim at detecting DNS tunnels. The accuracy for a mix of applications is close to 99 % .…”

Section: State Of the Artmentioning

confidence: 99%

See 2 more Smart Citations

Statistical fingerprint‐based intrusion detection system (SF‐IDS)

Boero

Cello

Marchese

et al. 2016

Int J Communication

View full text Add to dashboard Cite

Summary Intrusion detection systems (IDS) are systems aimed at analyzing and detecting security problems. The IDS may be structured into misuse and anomaly detection. The former are often signature/rule IDS that detect malicious software by inspecting the content of packets or files looking for a “signature” labeling malware. They are often very efficient, but their drawback stands in the weakness of the information to check (eg, the signature), which may be quickly dated, and in the computation time because each packet or file needs to be inspected. The IDS based on anomaly detection and, in particular, on statistical analysis have been originated to bypass the mentioned problems. Instead of inspecting packets, each traffic flow is observed so getting a statistical characterization, which represents the fingerprint of the flow. This paper introduces a statistical analysis based intrusion detection system, which, after extracting the statistical fingerprint, uses machine learning classifiers to decide whether a flow is affected by malware or not. A large set of tests is presented. The obtained results allow selecting the best classifiers and show the performance of a decision maker that exploits the decisions of a bank of classifiers acting in parallel.

show abstract

Section: Statistical Fingerprint‐based Intrusion Detection System—sf‐idssupporting

confidence: 60%

Section: State Of the Artmentioning

confidence: 99%

See 1 more Smart Citation

Statistical fingerprint‐based intrusion detection system (SF‐IDS)

Boero

Cello

Marchese

et al. 2016

Int J Communication

View full text Add to dashboard Cite

show abstract

“…Similarly, Aiello et al [8] have proposed a machine learning technique in order to detect the DNS tunneling. The proposed method examines simple statistical features of protocol messages, such as statistics of packets interarrival times and of packets' sizes.…”

Section: Related Workmentioning

confidence: 99%

“…The key characteristic behind the MLT lies in the historical data that should be provided in order to make the machine train and build the statistical model. Several researchers have examined the use of machine learning in terms of detecting DNS tunneling such as [7][8][9]. However, these studies have treated the problem of DNS tunneling as a binary classification where the class label is either legitimate or tunnel.…”

Section: Introductionmentioning

confidence: 99%

DNS Tunneling Detection Method Based on Multilabel Support Vector Machine

Almusawi

Amintoosi

2018

Security and Communication Networks

View full text Add to dashboard Cite

DNS tunneling is a method used by malicious users who intend to bypass the firewall to send or receive commands and data. This has a significant impact on revealing or releasing classified information. Several researchers have examined the use of machine learning in terms of detecting DNS tunneling. However, these studies have treated the problem of DNS tunneling as a binary classification where the class label is either legitimate or tunnel. In fact, there are different types of DNS tunneling such as FTP-DNS tunneling, HTTP-DNS tunneling, HTTPS-DNS tunneling, and POP3-DNS tunneling. Therefore, there is a vital demand to not only detect the DNS tunneling but rather classify such tunnel. This study aims to propose a multilabel support vector machine in order to detect and classify the DNS tunneling. The proposed method has been evaluated using a benchmark dataset that contains numerous DNS queries and is compared with a multilabel Bayesian classifier based on the number of corrected classified DNS tunneling instances. Experimental results demonstrate the efficacy of the proposed SVM classification method by obtaining an -measure of 0.80.

show abstract

Unsupervised learning and rule extraction for Domain Name Server tunneling detection

Aiello

Mongelli

Muselli

et al. 2018

Internet Technology Letters

View full text Add to dashboard Cite

The paper deals with k-means clustering and logic learning machine (LLM) for the detection of Domain Name Server (DNS) tunneling. As the LLM shows more versatility in rule generation and classification precision with respect to traditional decision trees, the approach reveals to be robust to a large set of system conditions. The detection algorithm is designed to be applied over streaming data, without accurate tuning of algorithms' parameters. An extensive performance evaluation is provided with respect to different tunneling tools and applications; silent intruders are considered. Results show robustness on a test set that exhibits a different behavior from training. KEYWORDS covert channel, rule extraction, unsupervised learning 1 Internet Technology Letters. 2019;2:e85.wileyonlinelibrary.com/journal/itl2

show abstract

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Cited by 57 publications

References 26 publications

Statistical fingerprint‐based intrusion detection system (SF‐IDS)

Statistical fingerprint‐based intrusion detection system (SF‐IDS)

DNS Tunneling Detection Method Based on Multilabel Support Vector Machine

Unsupervised learning and rule extraction for Domain Name Server tunneling detection

Contact Info

Product

Resources

About