Stream-wise detection of surreptitious traffic over DNS

Čejka, Tomáš; Zdenek, Rosa; Kubátová, Hana

doi:10.1109/camad.2014.7033254

Cited by 9 publications

(6 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The idea is to apply the algorithm over streaming data, that is, during server operation . A new analysis for anomaly detection is thus triggered over a new block of features once a new feature is available.…”

Section: Cascading Clustering With Llmmentioning

confidence: 99%

Unsupervised learning and rule extraction for Domain Name Server tunneling detection

Aiello

Mongelli

Muselli

et al. 2018

Internet Technology Letters

View full text Add to dashboard Cite

The paper deals with k-means clustering and logic learning machine (LLM) for the detection of Domain Name Server (DNS) tunneling. As the LLM shows more versatility in rule generation and classification precision with respect to traditional decision trees, the approach reveals to be robust to a large set of system conditions. The detection algorithm is designed to be applied over streaming data, without accurate tuning of algorithms' parameters. An extensive performance evaluation is provided with respect to different tunneling tools and applications; silent intruders are considered. Results show robustness on a test set that exhibits a different behavior from training. KEYWORDS covert channel, rule extraction, unsupervised learning 1 Internet Technology Letters. 2019;2:e85.wileyonlinelibrary.com/journal/itl2

show abstract

Section: Cascading Clustering With Llmmentioning

confidence: 99%

Unsupervised learning and rule extraction for Domain Name Server tunneling detection

Aiello

Mongelli

Muselli

et al. 2018

Internet Technology Letters

View full text Add to dashboard Cite

show abstract

“…The last DNS tunneling detection technique presented in this paper combines both traffic and payload inspection [30]. The purpose is to detect tunnels and other anomalies via statistical analysis in huge volume of DNS traffic near real-time.…”

Section: Hybrid Inspectionmentioning

confidence: 99%

“…From the table, it can clearly be seen that some techniques cover more than one group. Especially, the hybrid detection technique [30] covers both traffic and payload inspection and both statistical and signature-based analysis. All the surveyed machine learning -based detection techniques can also be grouped into statistical analysis.…”

Section: Hybrid Inspectionmentioning

confidence: 99%

“…The hybrid inspection technique presented in [30] also pays attention to the differences between each DNS request/response, especially to the fields of DNS messages, such as TXT records. However, their detection module analyzes only the domain names that are classified as suspicious in advance.…”

Section: Theoretical Comparison Of Dns Tunneling Detection Techniquesmentioning

confidence: 99%

See 1 more Smart Citation

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

Nuojua

David

Hämäläinen

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Domain Name System (DNS) plays an important role as a translation protocol in everyday use of the Internet. The purpose of DNS is to translate domain names into IP addresses and vice versa. However, its simple architecture can easily be misused for malicious activities. One huge security threat concerning DNS is tunneling, which helps attackers bypass the security systems unnoticed. A DNS tunnel can be used for three purposes: as a command and control channel, for data exfiltration or even for tunneling another protocol through it. In this paper, we surveyed different techniques for DNS tunneling detection. We classified those first based on the type of data and then within the categories based on the type of analysis. We conclude with a comparison between the various detection techniques. We introduce one real Advanced Persistent Threat campaign that utilizes DNS tunneling, and theoretically compare how well the surveyed detection techniques could detect it.

show abstract

“…The original traffic cannot be directly inspected as it becomes a part of the domain name of the DNS packets. There have been several schemes for discovering DNS tunnels [8–12]. Nevertheless, more detailed information about DNS tunneling is still unavailable to the network inspectors.…”

Section: Introductionmentioning

confidence: 99%

Refined identification of hybrid traffic in DNS tunnels based on regression analysis

et al. 2020

View full text Add to dashboard Cite

DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal‐spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.

show abstract

Stream-wise detection of surreptitious traffic over DNS

Cited by 9 publications

References 7 publications

Unsupervised learning and rule extraction for Domain Name Server tunneling detection

Unsupervised learning and rule extraction for Domain Name Server tunneling detection

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

Refined identification of hybrid traffic in DNS tunnels based on regression analysis

Contact Info

Product

Resources

About