DNS Tunneling Detection using Machine Learning and Cache Miss Properties

Chowdhary, Aastha; Bhowmik, Madhuparna; Rudra, Bhawana

doi:10.1109/iciccs51141.2021.9432279

Cited by 9 publications

(7 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Accuracies have been reached to clarify that entropy is based on the hostname is a useful feature for DNS tunneling detection. This outcome can be seen depending on the obtained results from Chowdhary et al (2021).…”

Section: Related Workmentioning

confidence: 88%

“…This is done while the prototype is being implemented, training data is being prepared and the model is being created (Jin et al, 2019). Chowdhary et al (2021) proposed two distinct approaches for spotting the DNS Tunneling query. Later, these methods are merged to develop a DNS tunneling attack detector, which has the capability of informing the user about a possible attack taking place in real-time.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Improved Intrusion Detection System to Alleviate Attacks on DNS Service

Al-Mimi,

Hamad,

Abualhaj

et al. 2023

Journal of Computer Science

View full text Add to dashboard Cite

Cybercriminals continuously devise new and more sophisticated ways to attack their targets' security and cyberattacks are on the rise. One of the earliest and most vulnerable network services is the Domain Name System (DNS), which has had several security issues that have been repeatedly exploited over time. Building a strong Intrusion Detection System (IDS) that guards against unwanted access to network resources is essential to identify DNS attacks in the network and safeguard data. Recently, a number of interesting approaches have been developed as a cure-all for intrusion detection, but constructing a safe DNS system remains difficult because attackers frequently alter their tactics to move around the system's security measures. In this study, we provide a self-learning model that detects the new attacks on DNS using machine learning classifiers. Support Vector Machine (SVM), K-nearest neighbor, Naive Bayes, and Decision Tree are used in the proposed model to classify data as intrusive or normal. The UNSW_NB15 dataset is used to assess the model performance. Data are preprocessed to eliminate irrelevant attributes from the dataset given that the dimensions of the data affect the success of an IDS. Empirical findings show that SVM and Decision Tree have the best performance for all the classifiers, with an accuracy rate of 99.99%. The performance of Naive Bayes is 99.89% for all attack types, which is the lowest of all the classifiers.

show abstract

Section: Related Workmentioning

confidence: 88%

Section: Related Workmentioning

confidence: 99%

Improved Intrusion Detection System to Alleviate Attacks on DNS Service

Al-Mimi,

Hamad,

Abualhaj

et al. 2023

Journal of Computer Science

View full text Add to dashboard Cite

show abstract

“…The experiments used eight DNS tunnel tools, including iodine, dnscat2, dns2tcp, DNShell, OzymanDNS, Cobalt Strike, DNSExfiltrator, and DET. A. Chowdhary et al [20] combined two methods for detecting DNS tunneling queries generated by tunnel tools, such as dns2tcp, iodine, tuns, and DNScapy. One method utilizes cache misses in DNS full-service resolvers, and the other uses machine learning technology to classify DNS queries.…”

Section: A Malicious Dns Tunnel Detectionmentioning

confidence: 99%

Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic Analysis

Mitsuhashi

Jin

Iida

et al. 2023

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

DNS over HTTPS (DoH) protocol can mitigate the risk of privacy breaches but makes it difficult to control network security services due to the DNS traffic encryption. However, since malicious DNS tunnel tools for the DoH protocol pose network security threats, network administrators need to recognize malicious communications even after the DNS traffic encryption has become widespread. In this paper, we propose a malicious DNS tunnel tool recognition system using persistent DoH traffic analysis based on machine learning. The proposed system can accomplish continuous knowledge updates for emerging malicious DNS tunnel tools on the machine learning model. The system is based on hierarchical machine learning classification and focuses on DoH traffic analysis. The evaluation results confirm that the proposed system is able to recognize the six malicious DNS tunnel tools in total, not only well-known ones, including dns2tcp, dnscat2, and iodine, but also the emerging ones such as dnstt, tcp-over-dns, and tuns with 98.02% classification accuracy.

show abstract

“…Chowdhary, Bhowmik, and Rudra, in [34], built a DNS tunneling attack detector. The authors of this paper combined two methods to build a detector.…”

Section: Related Workmentioning

confidence: 99%

Real-Time Detection System for Data Exfiltration over DNS Tunneling Using Machine Learning

et al. 2023

View full text Add to dashboard Cite

The domain name system (DNS) plays a vital role in network services for name resolution. By default, this service is seldom blocked by security solutions. Thus, it has been exploited for security breaches using the DNS covert channel (tunnel). One of the greatest current data leakage techniques is DNS tunneling, which uses DNS packets to exfiltrate sensitive and confidential data. Data protection against stealthy exfiltration attacks is critical for human beings and organizations. As a result, many security techniques have been proposed to address exfiltration attacks starting with building security policies and ending with designing security solutions, such as firewalls, intrusion detection or prevention, and others. In this paper, a hybrid DNS tunneling detection system has been proposed based on the packet length and selected features for the network traffic. The proposed system takes advantage of the outcome results conducted using the testbed and Tabu-PIO feature selection algorithm. The evolution of the proposed system has already been completed using three distinct datasets. The experimental outcome results show that the proposed hybrid approach achieved 98.3% accuracy and a 97.6% F-score in the DNS tunneling datasets, which outperforms the other related works’ techniques using the same datasets. Moreover, when the packet length was added into the hybrid approach, the run-time shows better results than when Tabu-PIO was used when the size of the data increases.

show abstract

DNS Tunneling Detection using Machine Learning and Cache Miss Properties

Cited by 9 publications

References 10 publications

Improved Intrusion Detection System to Alleviate Attacks on DNS Service

Improved Intrusion Detection System to Alleviate Attacks on DNS Service

Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic Analysis

Real-Time Detection System for Data Exfiltration over DNS Tunneling Using Machine Learning

Contact Info

Product

Resources

About