A DNS-based Data Exfiltration Traffic Detection Method for Unknown Samples

Ruiling Gan,Jiawen Diao,Xiang Cui,Shouyou Song
DOI: https://doi.org/10.1109/dsc55868.2022.00032
2022-01-01
Abstract:The advanced persistent threat (APT) is one of the most serious threats to cyberspace security. Posting back of exfiltrated data by way of DNS covert channels has become increasingly popular among APT attackers. Early detection techniques were mainly based on rule matching, whose accuracy may be affected by the subjectivity of the researchers. The rise of machine learning technology solves this problem. However, the current DNS traffic detection models based on machine learning lack the open-source datasets for training and they will lose detection accuracy for unknown malicious traffic whose abnormal points are different from the observed samples. As for the problem of insufficient data set, we propose a sample set enhancement method that simulating DNS attacks in the cyber range and using the captured flow as the training set. Regarding the detection of unknown malicious traffic, we put forward four new features (domain readability, domain structure, second-level domain phishing and IP discreteness) based on the principles for constructing malicious traffic. We use the decision tree algorithm to implement a detection model. In the unknown DNS data leakage traffic tests, our model achieved an average detection rate of 99.925%. After applying our sample set and feature set enhanced schemes to the existing work, the experimental results show that the enhanced detection model can detect unknown DNS data leakage traffic that could not be detected previously.
What problem does this paper attempt to address?