Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

doi:10.18178/wcse.2022.06.047

Proceedings of 2022 the 12th International Workshop on Computer Science and Engineering 2022

DOI: 10.18178/wcse.2022.06.047

|View full text |Cite

Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

Abstract: Bot-infected computers sending direct outbound DNS queries without obtaining the information of authoritative DNS servers from the DNS full resolvers set up in the internal network have become a critical security issue nowadays. In DNS protocol, the domain name resolution process obtains the information of necessary authoritative DNS name servers (NS records) at the beginning and then achieves the answers of the original DNS queries which is accomplished via the DNS full-service resolvers. However, some types … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...

Citation Types

Supporting

Mentioning

Contrasting

Year Published

2023

Publication Types

Select...

Other1

Relationship

Self Cite0

Independent1

Authors

Journals

Cited by 1 publication

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis

Mitsuhashi

Jin

Iida

et al. 2023

2023 IEEE 20th Consumer Communications &Amp; Networking Conference (CCNC)

View full text Add to dashboard Cite

Encrypted domain name resolution can reduce the risk of privacy leakage for Internet users, but it may also prevent network administrators from detecting suspicious communications. Since operating systems supporting DNS over HTTPS (DoH) have increased in recent years, malware that uses Domain Generation Algorithm (DGA) can exploit it to hide the generated domain names. In this paper, we propose a system that detects DGA-based malware communications from DoH traffic. Based on the concept of hierarchical machine learning analysis, the proposed system classifies network traffic with Gradient Boosting Decision Tree (GBDT) and tree-ensemble models. The evaluation confirmed that the system was able to detect DoH traffic generated by PadCrypt, Sisron, Tinba, and Zloader with 99.12% accuracy. The results indicate that the system has the ability to detect different DGA-based malware communications from DoH traffic with sufficient accuracy to support network administrators.

show abstract

Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis

Mitsuhashi

Jin

Iida

et al. 2023

2023 IEEE 20th Consumer Communications &Amp; Networking Conference (CCNC)

View full text Add to dashboard Cite

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

Cited by 1 publication

References 9 publications

Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis

Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis

Contact Info

Product

Resources

About