DNSxD: Detecting Data Exfiltration Over DNS

Steadman, Jacob; Scott-Hayward, Sandra

doi:10.1109/nfv-sdn.2018.8725640

Cited by 16 publications

(15 citation statements)

References 6 publications

(5 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is because our goal was to prevent information leakage by detecting DNS clients infected with malware in targeted attacks. As discussed in Section II-C, some researchers have focused on domain names and proposed filters whose design guideline was to identify the domain names used to perform DNS tunneling [11], [14], [18], [20], [21]. The shortcoming of such methods is that they fail when the attackers and their malware change tactics and utilize several domain names for the attacks.…”

Section: Discussionmentioning

confidence: 99%

“…DET [38] [20], [23], [24] DNScat [39] or DNScat2 [26] [12], [17], [18], [20], [22], [24] DNSExfiltrator [40] [20], [24] DNSMessenger [41] [23] DNSpionage [42] [23] dns2tcp [33] [9], [15], [16], [21], [22], [24] FrameworkPOS [43] [21], [23] iodine [32]…”

Section: B Conventional Attack Methodsmentioning

confidence: 99%

“…During a DNS tunneling attack, the cache hit ratio is expected to decrease because the malicious DNS queries generated to exfiltrate data cause cache misses, as discussed in Section II-A. To the best of our knowledge, this characteristic of DNS tunneling has not been [11], [17], [20] P Ratio of numerical characters to total characters in FQDN [17] P Time interval between query and response [17] P Time interval between responses of specific domain [17] P Access counts of resource records [14], [17] T Averages and variances of query size, response size, and time interval between a query and its response [15], [ [11], [14], [18], [20], [21]…”

Section: Cache-property-aware Features For Dns Tunneling Detectionmentioning

confidence: 99%

See 2 more Smart Citations

DNS Tunneling Detection by Cache-Property-Aware Features

Ishikura

Kondo

Vassiliades

et al. 2021

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Many enterprises are under threat of targeted attacks aiming at data exfiltration. To launch such attacks, in recent years, attackers with their malware have exploited a covert channel that abuses the domain name system (DNS) named DNS tunneling. Although several research efforts have been made to detect DNS tunneling, the existing methods rely on features that advanced tunneling techniques can easily obfuscate by mimicking legitimate DNS clients. Such obfuscation would result in data leakage. To tackle this problem, we focused on a "trace" left by DNS tunneling that cannot be easily hidden. In the context of data exfiltration by DNS tunneling, the malware connects directly to the DNS cache server and the generated DNS tunneling queries produce cache misses with absolute certainty. In this study, we propose a DNS tunneling detection method based on the cache-property-aware features. Our experiments show that one of the proposed features can efficiently characterize the DNS tunneling traffic. Furthermore, we introduce a rule-based filter and a long short-term memory (LSTM)-based filter using this proposed feature. The rule-based filter achieves a higher rate of DNS tunneling attack detection than the LSTM one, which instead detects the attack more quickly, while both maintain a low misdetection rate.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: B Conventional Attack Methodsmentioning

confidence: 99%

Section: Cache-property-aware Features For Dns Tunneling Detectionmentioning

confidence: 99%

See 1 more Smart Citation

DNS Tunneling Detection by Cache-Property-Aware Features

Ishikura

Kondo

Vassiliades

et al. 2021

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

“…The payload analysis is an evaluation of a DNS query and/or the corresponding DNS response, while the traffic analysis is an evaluation of DNS traffic over a monitoring period (e.g., in terms of time, number of samples, etc.). The features of interest in payload analysis are, for example, unigram or bigram character frequencies of domains or subdomains [4], [5], FQDN length [11], [15], entropy [11], [13], [15], the first 512 bytes of a DNS response [12], and the number of labels [15]. Regarding traffic analysis, the usual features of interest are, for example, the number of flows [6], Jensen-Shannon divergence computed from DNS query payloads [7], access counts of resource records [8], average time interval between a query and its response [9], a combination of Principal Component Analysis (PCA) and mutual information [10], the number of queries per domain [13], and average query length per domain [14].…”

Section: B Related Workmentioning

confidence: 99%

“…The features of interest in payload analysis are, for example, unigram or bigram character frequencies of domains or subdomains [4], [5], FQDN length [11], [15], entropy [11], [13], [15], the first 512 bytes of a DNS response [12], and the number of labels [15]. Regarding traffic analysis, the usual features of interest are, for example, the number of flows [6], Jensen-Shannon divergence computed from DNS query payloads [7], access counts of resource records [8], average time interval between a query and its response [9], a combination of Principal Component Analysis (PCA) and mutual information [10], the number of queries per domain [13], and average query length per domain [14]. These features are fed to machine learning models or used as thresholds to build countermeasures for DNS tunneling detection.…”

Section: B Related Workmentioning

confidence: 99%

Cache-Property-Aware Features for DNS Tunneling Detection

Ishikura

Kondo

Iordanov³

et al. 2020

2020 23rd Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN)

View full text Add to dashboard Cite

A lot of enterprises are under threat of targeted attacks causing data exfiltration. As a means of performing the attacks, attackers and their malware have exploited DNS tunneling in recent years. Although there are many research efforts to detect DNS tunneling, the previously proposed methods rely on features that the malicious entities can easily obfuscate by mimicking legitimate ones. Therefore, this obfuscation would result in data leakage. In order to mitigate this issue, we focus on a trace of DNS tunneling, which cannot be easily hidden. In the context of DNS data exfiltration, malware connects directly to the DNS cache server, and a DNS tunneling query produces a cache miss with absolute certainty. In this work, we propose features derived from this cache property. Our extensive experiments show that one of the proposed features can clearly distinguish DNS tunneling traffic, which makes it useful to design and implement a solid DNS firewall against DNS tunneling.

show abstract