Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Franco Palau,Carlos Catania,Jorge Guerra,Sebastian Garcia,Maria Rigaki

DOI: https://doi.org/10.48550/arXiv.2006.06122

2020-06-15

Abstract:Domain Name Service is a trusted protocol made for name resolution, but during past years some approaches have been developed to use it for data transfer. DNS Tunneling is a method where data is encoded inside DNS queries, allowing information exchange through the DNS. This characteristic is attractive to hackers who exploit DNS Tunneling method to establish bidirectional communication with machines infected with malware with the objective of exfiltrating data or sending instructions in an obfuscated way. To detect these threats fast and accurately, the present work proposes a detection approach based on a Convolutional Neural Network (CNN) with a minimal architecture complexity. Due to the lack of quality datasets for evaluating DNS Tunneling connections, we also present a detailed construction and description of a novel dataset that contains DNS Tunneling domains generated with five well-known DNS tools. Despite its simple architecture, the resulting CNN model correctly detected more than 92% of total Tunneling domains with a false positive rate close to 0.8%.

Cryptography and Security,Machine Learning

Yue Wang,Anmin Zhou,Shan Liao,Rongfeng Zheng,Rong Hu,Lei Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108322

IF: 5.493

2021-10-01

Computer Networks

Abstract:<p>Domain Name System (DNS) tunnels, established between the controlled host and master server disguised as the authoritative domain name server, can be used as a secret data communication channel for malicious activities. Owing to the ready evasion of the DNS traffic to bypass the network security mechanism, DNS tunnelling can cause severe damage. Thus, an in-depth and comprehensive understanding of the various detection technologies is of considerable importance when facing this type of threat. However, most of the existing reviews focus on a single aspect of the DNS tunnel detection technologies, such as methods based on machine learning, traffic, and payload analysis. In addition, few studies have conducted comprehensive investigation that includes a sequentially integrated range of literature in this researchfield, or have analysed the latest literature on DNS tunnels. This paper reviews these detection technologies from a novel perspective of rule-based and model-based methods with descriptions and analyses of the DNS-based tools and their corresponding features. To the best of our knowledge, this is the first study to comprehensively discuss and analyse DNS tunnel detection in a novel and specific classification fashion from various aspects in detail, covering almost all the detection methods developed from 2006 to 2020. Furthermore, a comparative analysis of detection methods and several suggestions for future research directions are presented.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Guangyuan Gao,Weina Niu,Jiacheng Gong,Dujuan Gu,Song Li,Mingxue Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1109/tifs.2024.3443596

IF: 7.231

2024-08-24

IEEE Transactions on Information Forensics and Security

Abstract:DNS tunnels, due to their versatility and concealment, have become a preferred method for attackers to execute Command and Control (C&C) attacks, posing a significant security threat to terminal devices. Therefore, the efficient and accurate detection of DNS tunnels is important in reducing the economic losses and privacy risks faced by both enterprises and individuals. Despite notable advancements in the research of intelligent detection of DNS tunnels, existing model-based approaches predominantly concentrate on the surface-level features of domain names or packet payloads. This narrow focus leads to low detection accuracy when dealing with unknown DNS tunnel attacks and traffic from wildcard DNS. Furthermore, these methods struggle with accurately identifying DNS tunneling tools, complicating the task of swiftly locating and mitigating malware for analysts. This paper proposes GraphTunnel, a framework based on graph neural networks for detecting DNS tunnels and identifying tunneling tools. It delves into the correlations among DNS resolutions to construct paths that represent the recursive resolution process of DNS. By using central nodes that denote the gateways, these paths are connected and transformed into graph structures. Concurrently, it employs GraphSage to aggregate the features of nodes and their edges in the graph, enabling effective detection of DNS tunnels. Additionally, GraphTunnel utilizes the G2M algorithm to capture the statistical features of nodes in the graph and maps them into grayscale images, which are then processed by a CNN for multi-class identification of DNS tunneling tools. Experimental results demonstrate that in non-wildcard DNS scenarios, GraphTunnel achieves a 100% accuracy in DNS tunnel detection, encompassing unknown DNS tunnels. Even in high false-positive environments caused by wildcard DNS, GraphTunnel maintains an F1-Score of 99.78%. Moreover, GraphTunnel can identify DNS tunneling tools with an accuracy rate exceeding 98.57%, enhancing the rapid mitigation capabilities of emergency responders in dealing with malicious DNS tunnels.

computer science, theory & methods,engineering, electrical & electronic

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Xin Ma,Shize Guo,Zhisong Pan,Bin Liu,Kaolin Jiang,Ming Chen,Shijiao Tang

DOI: https://doi.org/10.48550/arXiv.2207.06641

2022-07-14

Abstract:A covert attack method often used by APT organizations is the DNS tunnel, which is used to pass information by constructing C2 networks. And they often use the method of frequently changing domain names and server IP addresses to evade monitoring, which makes it extremely difficult to detect them. However, they carry DNS tunnel information traffic in normal DNS communication, which inevitably brings anomalies in some statistical characteristics of DNS traffic, so that it would provide security personnel with the opportunity to find them. Based on the above considerations, this paper studies the statistical discovery methodology of typical DNS tunnel high-frequency query behavior. Firstly, we analyze the distribution of the DNS domain name length and times and finds that the DNS domain name length and times follow the normal distribution law. Secondly, based on this distribution law, we propose a method for detecting and discovering high-frequency DNS query behaviors of non-single domain names based on the statistical rules of domain name length and frequency and we also give three theorems as theoretical support. Thirdly, we design a sliding window difference scheme based on the above method. Experimental results show that our method has a higher detection rate. At the same time, since our method does not need to construct a data set, it has better practicability in detecting unknown DNS tunnels. This also shows that our detection method based on mathematical models can effectively avoid the dilemma for machine learning methods that must have useful training data sets, and has strong practical significance.

Networking and Internet Architecture

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Andreas Berg,Daniel Forsberg

DOI: https://doi.org/10.48550/arXiv.1906.11246

2019-06-26

Abstract:DNS is a distributed, fault tolerant system that avoids a single point of failure. As such it is an integral part of the internet as we use it today and hence deemed a safe protocol which is let through firewalls and proxies with no or little checks. This can be exploited by malicious agents. Network forensics is effective but struggles due to size of data and manual labour. This paper explores to what extent predictive models can be used to predict network traffic, what protocols are tunneled in the DNS protocol and more specifically whether the predictive performance is enhanced when analyzing DNS-queries and responses together and which feature set that can be used for DNS-tunneled network prediction. The tested protocols are SSH, SFTP and Telnet and the machine learning models used are Multi Layered Perceptron and Random Forests. To train the models we extract the IP Packet length, Name length and Name entropy of both the queries and responses in the DNS traffic. With an experimental research strategy it is empirically shown that the performance of the models increases when training the models on the query and respose pairs rather than using only queries or responses. The accuracy of the models is >83% and reduction in data size when features are extracted is roughly 95%. Our results provides evidence that machine learning is a valuable tool in detecting network protocols in a DNS tunnel and that only an small subset of network traffic is needed to detect this anomaly.

Cryptography and Security,Machine Learning

Siyu Zhang,Zhipeng Han,Kaida Jiang

DOI: https://doi.org/10.1109/ICPICS58376.2023.10235404

2023-01-01

Abstract:In recent years, malicious software that utilizes covert channels to transmit private data has become increasingly prevalent. The privacy information of affected users, such as accounts and passwords, is quietly transmitted to attackers. Hackers commonly employ covert tunnels that utilize the Domain Name System (DNS) to achieve this, transmitting stolen information through malicious domains. Traditional DNS tunneling techniques generate significant communication traffic, and related research has delved deeper into this area. However, they face challenges in detecting malicious software that transmits data at low rates. This paper proposes a DNS data leakage detection algorithm based on anomaly detection models. Through experimental verification combining simulated attacks with real data, this algorithm demonstrates high detection rates for low-rate data leakage channels, while also maintaining good detection performance for traditional DNS tunnels.

Weina Niu,Xiaosong Zhang,Guowu Yang,Jianan Zhu,Zhongwei Ren

DOI: https://doi.org/10.1155/2017/4916953

IF: 1.43

2017-01-01

Mathematical Problems in Engineering

Abstract:Advanced Persistent Threat (APT) is a serious threat against sensitive information. Current detection approaches are time-consuming since they detect APT attack by in-depth analysis of massive amounts of data after data breaches. Specifically, APT attackers make use of DNS to locate their command and control (C&C) servers and victims' machines. In this paper, we propose an efficient approach to detect APT malware C&C domain with high accuracy by analyzing DNS logs. We first extract 15 features from DNS logs of mobile devices. According to Alexa ranking and the VirusTotal's judgement result, we give each domain a score. Then, we select the most normal domains by the score metric. Finally, we utilize our anomaly detection algorithm, called Global Abnormal Forest (GAF), to identify malware C&C domains. We conduct a performance analysis to demonstrate that our approach is more efficient than other existing works in terms of calculation efficiency and recognition accuracy. Compared with Local Outlier Factor (LOF),k-Nearest Neighbor (KNN), and Isolation Forest (iForest), our approach obtains more than 99% F-M and R for the detection of C&C domains. Our approach not only can reduce data volume that needs to be recorded and analyzed but also can be applicable to unsupervised learning.

Muhammad Dawood,Chunagbai Xiao,Shanshan Tu,Faiz Abdullah Alotaibi,Mrim M. Alnfiai,Muhammad Farhan

DOI: https://doi.org/10.7717/peerj-cs.2027

2024-05-28

PeerJ Computer Science

Abstract:This article explores detecting and categorizing network traffic data using machine-learning (ML) methods, specifically focusing on the Domain Name Server (DNS) protocol. DNS has long been susceptible to various security flaws, frequently exploited over time, making DNS abuse a major concern in cybersecurity. Despite advanced attack, tactics employed by attackers to steal data in real-time, ensuring security and privacy for DNS queries and answers remains challenging. The evolving landscape of internet services has allowed attackers to launch cyber-attacks on computer networks. However, implementing Secure Socket Layer (SSL)-encrypted Hyper Text Transfer Protocol (HTTP) transmission, known as HTTPS, has significantly reduced DNS-based assaults. To further enhance security and mitigate threats like man-in-the-middle attacks, the security community has developed the concept of DNS over HTTPS (DoH). DoH aims to combat the eavesdropping and tampering of DNS data during communication. This study employs a ML-based classification approach on a dataset for traffic analysis. The AdaBoost model effectively classified Malicious and Non-DoH traffic, with accuracies of 75% and 73% for DoH traffic. The support vector classification model with a Radial Basis Function (SVC-RBF) achieved a 76% accuracy in classifying between malicious and non-DoH traffic. The quadratic discriminant analysis (QDA) model achieved 99% accuracy in classifying malicious traffic and 98% in classifying non-DoH traffic.

computer science, information systems, artificial intelligence, theory & methods

Futai Zou,Yundong Ren,Jiachen Zhu,Junhua Tang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys53884.2021.00090

2021-01-01

Abstract:In recent years, privacy data leakage has become a hot topic of security. After malware controls the target client, it needs to bypass the existing security defense to transmit the data to the controller. DNS is a common communication protocol in the network, thus traditional defense methods will not place strict restrictions on DNS traffic. Researchers have found various domain requests for covert data transmission in DNS traffic. In the past ten years, people have only noticed the communication of DNS tunnels, but the new kind of DNS data leakage has a more covert transmission mode through sub-domain name coding and other ways. DNS data leakage exhibits low traffic volume and periodicity, which is totally different from DNS tunnels with bi-directional data exchange and high traffic volume. In this paper, a detection model named as LSTM-AE is proposed. LSTM-AE integrates LSTM-based time-series characterization and unsupervised autoencoder to detect data leakage malware through DNS traffic. Experimental results show the detection performance of LSTM-AE is better than other ML-based methods and several unknown malicious domains related data leakage have been detected with real-world DNS traffic.

Johan Mazel,Matthieu Saudrais,Antoine Hervieu

DOI: https://doi.org/10.48550/arXiv.2201.10371

2022-01-25

Cryptography and Security

Abstract:Encrypted tunneling protocols are widely used. Beyond business and personal uses, malicious actors also deploy tunneling to hinder the detection of Command and Control and data exfiltration. A common approach to maintain visibility on tunneling is to rely on network traffic metadata and machine learning to analyze tunnel occurrence without actually decrypting data. Existing work that address tunneling protocols however exhibit several weaknesses: their goal is to detect application inside tunnels and not tunnel identification, they exhibit limited protocol coverage (e.g. OpenVPN and Wireguard are not addressed), and both inconsistent features and diverse machine learning techniques which makes performance comparison difficult. Our work makes four contributions that address these limitations and provide further analysis. First, we address OpenVPN and Wireguard. Second, we propose a complete pipeline to detect and classify tunneling protocols and tunneled applications. Third, we present a thorough analysis of the performance of both network traffic metadata features and machine learning techniques. Fourth, we provide a novel analysis of domain generalization regarding background untunneled traffic, and, both domain generalization and adversarial learning regarding Maximum Transmission Unit (MTU).

Senmiao Wang,Luli Sun,Sujuan Qin,WenMin Li,Wentao Liu

DOI: https://doi.org/10.1016/j.cose.2022.102818

2022-09-01

Abstract:Nowadays, DNS channel attacks on mobile devices have become a challenging threat. Attackers usually attack mobile devices and steal information with the help of DNS channel. It is difficult for users to detect this kind of attack, especially when attackers covert sensitive information in the DNS response. In this paper, we proposed a method for DNS tunnel detection based on isolated forest for Android. We constructed a framework for mobile devices to collect DNS tunnel traffic. Based on the analysis of DNS tunnel traffic generated on mobile devices, we extracted features based on DNS request and response and constructed the feature set. We proposed a DNS tunnel detector, KRTunnel, for mobile devices. Experiments showed that KRTunnel can identify unseen DNS tunnel traffic with the accuracy of 98.1%.

computer science, information systems

Xiaoqing Sun,Mingkai Tong,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.1909.01590

2019-09-04

Cryptography and Security

Abstract:Domain name system (DNS) is a crucial part of the Internet, yet has been widely exploited by cyber attackers. Apart from making static methods like blacklists or sinkholes infeasible, some weasel attackers can even bypass detection systems with machine learning based classifiers. As a solution to this problem, we propose a robust domain detection system named HinDom. Instead of relying on manually selected features, HinDom models the DNS scene as a Heterogeneous Information Network (HIN) consist of clients, domains, IP addresses and their diverse relationships. Besides, the metapath-based transductive classification method enables HinDom to detect malicious domains with only a small fraction of labeled samples. So far as we know, this is the first work to apply HIN in DNS analysis. We build a prototype of HinDom and evaluate it in CERNET2 and TUNET. The results reveal that HinDom is accurate, robust and can identify previously unknown malicious domains.

Jianfeng Li,Xiaobo Ma,Li Guodong,Xiapu Luo,Junjie Zhang,Wei Li,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom.2018.8486210

2018-01-01

Abstract:Domain Name System (DNS) is one of the pillars of today's Internet. Due to its appealing properties such as low data volume, wide-ranging applications and encryption free, DNS traffic has been extensively utilized for network monitoring. Most existing studies of DNS traffic, however, focus on domain name reputation. Little attention has been paid to understanding and profiling what people are doing from DNS traffic, a fundamental problem in the areas including Internet demographics and network behavior analysis. Consequently, simple questions like “How to determine whether a DNS query for www.google.com means searching or any other behaviors?” cannot be answered by existing studies. In this paper, we take the first step to identify user activities from raw DNS queries. We advance a multiscale hierarchical framework to tackle two practical challenges, i.e., behavior ambiguity and behavior polymorphism. Under this framework, a series of novel methods, such as pattern upward mapping and multi-scale random forest classifier, are proposed to characterize and identify user activities of interest. Evaluation using both synthetic and real-world DNS traces demonstrates the effectiveness of our method.

章思宇,邹福泰,王鲁华,陈铭

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.05.017

2013-01-01

Journal of Communications

Abstract:To propose an effective detection method for DNS-based covert channel,traffic characteristics were thor-oughly studied.12 features were extracted from DNS packets to distinguish covert channels from legitimate DNS queries.Statistical characteristics of these features are used as input of the machine learning classifier.Experimental results show that the decision tree model detects all 22 covert channels used in training,and is capable of detecting untrained covert channels.Several DNS tunnels were detected during the evaluation on campus network's live DNS traffic.

Chao Li,Yanan Cheng,Zhaoxin Zhang,Zundong Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110669

IF: 5.493

2024-01-01

Computer Networks

Abstract:The Domain Name System (DNS), as a critical component of Internet infrastructure, is crucial for maintaining network stability and security. However, vulnerabilities in the DNS resolution process make it susceptible to various network attacks. Current DNS resolution anomaly detection methods are challenged by the scarcity of diverse anomalous sample data and the difficulty in accurately capturing such anomalies. To address those challenges, we firstly introduce a proactive anomaly detection method based on bidirectional national censorship behavior, abbreviated as CB-BiDAM. This method can collect diverse anomalous resolution data from multiple network spaces, covering common types of resolution anomalies and effectively solving the problem of sample scarcity. Further, we extract multidimensional features from four key aspects: response content, DNS attributes, resolution paths, and timing, to gain a deeper understanding of the relationship between multifaceted information in the DNS resolution process and anomalous events. Finally, based on these multidimensional features, we construct a DNS resolution anomaly detection model named DRADC, using a stacked ensemble approach. Through a series of comparative experiments, the DRADC model significantly outperforms existing machine learning algorithms in key metrics such as accuracy (97.48%), recall (96.87%), and F1 score (97.09%). Feature ablation experiments further demonstrates that incorporating multidimensional features significantly improves model performance, with a 3% increase in accuracy and a 3.5% increase in precision compared to models relying solely on response content features. By providing an accurate detection model for DNS resolution anomalies, this study aids network administrators in more effectively identifying and countering network attacks. Additionally, our research also contributes to the detection and response to domain censorship mechanisms, which is crucial for maintaining the openness and free flow of the Internet.

Fei Wang,Liusheng Huang,Zhili Chen,Haibo Miao,Wei Yang

DOI: https://doi.org/10.1007/978-3-319-04283-1_15

2014-01-01

Abstract:The web tunnel is a common attack technique in the Internet and it is very easy to be implemented but extremely difficult to be detected. In this paper, we propose a novel web tunnel detection method which focuses on protocol behaviors. By analyzing the interaction processes in web communications, we give a scientific definition to web sessions that are our detection objects. Under the help of the definition, we extract four first-order statistical features which are widely used in previous research of web sessions. Utilizing the packet lengths and inter-arrival times in the transport layer, we divide TCP packets into different classes and discover some statistical correlations of them in order to extract another three second-order statistical features of web sessions. Further, the seven features are regarded as a 7-dimentional feature vector. Exploiting the vector, we adopt a support vector machine classifier to distinguish tunnel sessions from legitimate web sessions. In the experiment, our method performs very well and the detection accuracies of HTTP tunnels and HTTPS tunnels are 82.5% and 91.8% respectively when the communication traffic is above 500 TCP packets.

Shaojie Chen,Bo Lang,Hongyu Liu,Duokun Li,Chuan Gao

DOI: https://doi.org/10.1016/j.cose.2020.102095

2021-05-01

Abstract:<p>DNS is a kind of basic network protocol that is rarely blocked by firewalls; therefore, it is used to build covert channels. Malicious DNS covert channels play an important role in data exfiltration and botnets and do great harm to the network environment. To detect DNS covert channels, researchers extract multiple features from different perspectives of DNS traffic. At present, many detection methods using machine learning are based on manual features, which usually include complex data preprocessing and feature extraction. Additionally, these methods seriously rely on expert knowledge, and some potential features are hard to discover. To address these problems, we propose a DNS covert channel detection method using the LSTM model, which does not rely on feature engineering. First, we use the FQDNs of DNS packets as the input and implement an end-to-end detection approach using LSTM. Then, we filter the detection results of the LSTM model with the grouped filtering method to further reduce the false positive rate. Using the packets from the Internet and the packets generated by running different DNS covert channel tools, we construct our datasets, in which generalization test datasets are included in addition to the FQDN and the DNS packet datasets for model training. Our method achieves an accuracy rate of 99.38% on the test dataset and a recall rate of 98.52% on the generalization test dataset, which are better than the state-of-the-art methods. This method is also tested in a real network environment and has detected multiple malicious DNS covert channel events.</p>

computer science, information systems