Futai Zou,Yundong Ren,Jiachen Zhu,Junhua Tang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys53884.2021.00090

2021-01-01

Abstract:In recent years, privacy data leakage has become a hot topic of security. After malware controls the target client, it needs to bypass the existing security defense to transmit the data to the controller. DNS is a common communication protocol in the network, thus traditional defense methods will not place strict restrictions on DNS traffic. Researchers have found various domain requests for covert data transmission in DNS traffic. In the past ten years, people have only noticed the communication of DNS tunnels, but the new kind of DNS data leakage has a more covert transmission mode through sub-domain name coding and other ways. DNS data leakage exhibits low traffic volume and periodicity, which is totally different from DNS tunnels with bi-directional data exchange and high traffic volume. In this paper, a detection model named as LSTM-AE is proposed. LSTM-AE integrates LSTM-based time-series characterization and unsupervised autoencoder to detect data leakage malware through DNS traffic. Experimental results show the detection performance of LSTM-AE is better than other ML-based methods and several unknown malicious domains related data leakage have been detected with real-world DNS traffic.

Xin Ma,Shize Guo,Zhisong Pan,Bin Liu,Kaolin Jiang,Ming Chen,Shijiao Tang

DOI: https://doi.org/10.48550/arXiv.2207.06641

2022-07-14

Abstract:A covert attack method often used by APT organizations is the DNS tunnel, which is used to pass information by constructing C2 networks. And they often use the method of frequently changing domain names and server IP addresses to evade monitoring, which makes it extremely difficult to detect them. However, they carry DNS tunnel information traffic in normal DNS communication, which inevitably brings anomalies in some statistical characteristics of DNS traffic, so that it would provide security personnel with the opportunity to find them. Based on the above considerations, this paper studies the statistical discovery methodology of typical DNS tunnel high-frequency query behavior. Firstly, we analyze the distribution of the DNS domain name length and times and finds that the DNS domain name length and times follow the normal distribution law. Secondly, based on this distribution law, we propose a method for detecting and discovering high-frequency DNS query behaviors of non-single domain names based on the statistical rules of domain name length and frequency and we also give three theorems as theoretical support. Thirdly, we design a sliding window difference scheme based on the above method. Experimental results show that our method has a higher detection rate. At the same time, since our method does not need to construct a data set, it has better practicability in detecting unknown DNS tunnels. This also shows that our detection method based on mathematical models can effectively avoid the dilemma for machine learning methods that must have useful training data sets, and has strong practical significance.

Networking and Internet Architecture

Jingkun Liu,Shuhao Li,Yongzheng Zhang,Jun Xiao,Peng Chang,Chengwei Peng

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.256

2017-01-01

Abstract:DNS tunnel is a typical Internet covert channel used by attackers or bots to evade the malicious activities detection. The stolen information is encoded and encapsulated into the DNS packets to transfer. Since DNS traffic is common, most of the firewalls directly allow it to pass and IDS does not trigger an alarm with it. The popular signature-based detection methods and threshold-based methods are not flexible and make high false alarms. The approaches based on characters distribution features also do not perform well, because attackers can modify the encoding method to disturb the characters distributions.In this paper, we propose an effective and applicable DNS tunnel detection mechanism. The prototype system is deployed at the Recursive DNS for tunnel identification. We use four kinds of features including time-interval features, request packet size features, record type features and subdomain entropy features. We evaluate the performance of our proposal with Support Vector Machine, Decision Tree and Logistical Regression. The experiments show that the method can achieve high detection accuracy of 99.96%.

Yue Wang,Anmin Zhou,Shan Liao,Rongfeng Zheng,Rong Hu,Lei Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108322

IF: 5.493

2021-10-01

Computer Networks

Abstract:<p>Domain Name System (DNS) tunnels, established between the controlled host and master server disguised as the authoritative domain name server, can be used as a secret data communication channel for malicious activities. Owing to the ready evasion of the DNS traffic to bypass the network security mechanism, DNS tunnelling can cause severe damage. Thus, an in-depth and comprehensive understanding of the various detection technologies is of considerable importance when facing this type of threat. However, most of the existing reviews focus on a single aspect of the DNS tunnel detection technologies, such as methods based on machine learning, traffic, and payload analysis. In addition, few studies have conducted comprehensive investigation that includes a sequentially integrated range of literature in this researchfield, or have analysed the latest literature on DNS tunnels. This paper reviews these detection technologies from a novel perspective of rule-based and model-based methods with descriptions and analyses of the DNS-based tools and their corresponding features. To the best of our knowledge, this is the first study to comprehensively discuss and analyse DNS tunnel detection in a novel and specific classification fashion from various aspects in detail, covering almost all the detection methods developed from 2006 to 2020. Furthermore, a comparative analysis of detection methods and several suggestions for future research directions are presented.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yang Zhao,Hongzhi Ye,Lingzi Li,Cheng Huang,Tao Zhang

DOI: https://doi.org/10.1109/dsc50466.2020.00015

2020-01-01

Abstract:DNS server is one of the most important Internet infrastructures in modern society. DNS Tunnel technology is firstly used to get free WiFi, more and more security incidents using DNS protocol to transmit information or illegal commands in recently advanced persistent threat attacks. Most security products such as firewalls, intrusion detection systems and intrusion prevention systems rarely detect DNS communication, which provides naturally command and control communication channel for attackers. The traditional detection methods only focus on the network communication feature for DNS tunnel tools, such as iodine, dnscat2 and dns2tcp. Then many machine learning detection methods are introduced to automatically learn the abstract features and classify the illegal communication method, but the detection result is not still satisfied with high accurate and low false positive. In order to solve this issue, the paper proposed an automatically detecting methods based on session behaviors and random forest algorithm. The experiments proved the method could achieve high accuracy (99.79%) with recall (98.67%), which is higher than other general algorithms.

Cheng Qi,Xiaojun Chen,Cui Xu,Jinqiao Shi,Peipeng Liu

DOI: https://doi.org/10.1016/j.procs.2013.05.109

2013-01-01

Procedia Computer Science

Abstract:DNS (Domain Name System) tunnels can provide high-bandwidth covert channels that pose a significant risk to sensitive information inside the company networks. Sensitive data are embedded in DNS query and response packets to exfiltrate and infiltrate the network boundaries. However, traditional Intrusion Detection Systems (IDS) and Firewalls let DNS packets pass without any checking. This paper explores a novel approach to detect in real time whether a DNS packet is in a tunnel by scoring the query domain based on bigram. Experiment shows that the bigrams of domains follow Zipf's law whereas tunnelled traffic is obedient to random distribution. The score mechanism in detecting DNS tunnels is proved to be usable theoretically and is confirmed in the experiment. Our approach can get a high accuracy of 98.74% and low false positive of 1.24%.

章思宇,邹福泰,王鲁华,陈铭

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.05.017

2013-01-01

Journal of Communications

Abstract:To propose an effective detection method for DNS-based covert channel,traffic characteristics were thor-oughly studied.12 features were extracted from DNS packets to distinguish covert channels from legitimate DNS queries.Statistical characteristics of these features are used as input of the machine learning classifier.Experimental results show that the decision tree model detects all 22 covert channels used in training,and is capable of detecting untrained covert channels.Several DNS tunnels were detected during the evaluation on campus network's live DNS traffic.

Shaojie Chen,Bo Lang,Hongyu Liu,Duokun Li,Chuan Gao

DOI: https://doi.org/10.1016/j.cose.2020.102095

2021-05-01

Abstract:<p>DNS is a kind of basic network protocol that is rarely blocked by firewalls; therefore, it is used to build covert channels. Malicious DNS covert channels play an important role in data exfiltration and botnets and do great harm to the network environment. To detect DNS covert channels, researchers extract multiple features from different perspectives of DNS traffic. At present, many detection methods using machine learning are based on manual features, which usually include complex data preprocessing and feature extraction. Additionally, these methods seriously rely on expert knowledge, and some potential features are hard to discover. To address these problems, we propose a DNS covert channel detection method using the LSTM model, which does not rely on feature engineering. First, we use the FQDNs of DNS packets as the input and implement an end-to-end detection approach using LSTM. Then, we filter the detection results of the LSTM model with the grouped filtering method to further reduce the false positive rate. Using the packets from the Internet and the packets generated by running different DNS covert channel tools, we construct our datasets, in which generalization test datasets are included in addition to the FQDN and the DNS packet datasets for model training. Our method achieves an accuracy rate of 99.38% on the test dataset and a recall rate of 98.52% on the generalization test dataset, which are better than the state-of-the-art methods. This method is also tested in a real network environment and has detected multiple malicious DNS covert channel events.</p>

computer science, information systems

Jawad Ahmed

DOI: https://doi.org/10.48550/arXiv.2205.08968

2022-05-18

Cryptography and Security

Abstract:Enterprise Networks are growing in scale and complexity, with heterogeneous connected assets needing to be secured in different ways. Nevertheless, virtually all connected assets use the Domain Name System (DNS) for address resolution, and DNS has thus become a convenient vehicle for attackers to covertly perform Command and Control (C&C) communication, data theft, and service disruption across a wide range of assets. Enterprise security appliances that monitor network traffic typically allow all DNS traffic through as it is vital for accessing any web service; they may at best match against a database of known malicious patterns, and are therefore ineffective against zero-day attacks. This thesis focuses on three high-impact cyber-attacks that leverage DNS, specifically data exfiltration, malware C&C communication, and service disruption. Using big data (over 10B packets) of DNS network traffic collected from a University campus and a Government research organization over a 6-month period, we illustrate the anatomy of these attacks, train machines for automatically detecting such attacks, and evaluate their efficacy in the field.

Guanghua Yan,Qiang Li,Dong Guo,Xiangyu Meng

DOI: https://doi.org/10.3390/s20030731

IF: 3.9

2020-01-01

Sensors

Abstract:As sensors become more prevalent in our lives, security issues have become a major concern. In the Advanced Persistent Threat (APT) attack, the sensor has also become an important role as a transmission medium. As a relatively weak link in the network transmission process, sensor networks often become the target of attackers. Due to the characteristics of low traffic, long attack time, diverse attack methods, and real-time evolution, existing detection methods have not been able to detect them comprehensively. Current research suggests that a suspicious domain name can be obtained by analyzing the domain name resolution (DNS) request to the target network in an APT attack. In past work based on DNS log analyses, most of the work would simply calculate the characteristics of the request message or the characteristics of the response message or the feature set of the request message plus the response message, and the relationship between the response message and the request message was not considered. This may leave out the detection of some APT attacks in which the DNS resolution process is incomplete. This paper proposes a new feature that represents the relationship between a DNS request and the response message, based on a deep learning method used to analyze the DNS request records. The algorithm performs threat assessment on the DNS behavior to be detected based on the calculated suspicious value. This paper uses the data of 4, 907, 147, 146 DNS request records (376, 605, 606 records after DNS Data Pre-processing) collected in a large campus network and uses simulation attack data to verify the validity and correctness of the system. The results of the experiments show that our method achieves an average accuracy of 97.6% in detecting suspicious DNS behavior, with the orange false positive (FP) at 2.3% and the recall at 96.8%. The proposed system can effectively detect the hidden and suspicious DNS behavior in APT.

Ruming Tang,Cheng Huang,Yanti Zhou,Haoxian Wu,Xianglin Lu,Yongqian Sun,Qi Li,Jinjin Li,Weiyao Huang,Siyuan Sun,Dan Pei

DOI: https://doi.org/10.1007/978-3-030-63095-9_1

2020-01-01

Abstract:DNS is a key protocol of the Internet infrastructure, which ensures network connectivity. However, DNS suffers from various threats. In particular, DNS covert communication is one serious threat in enterprise networks, by which attackers establish stealthy communications between internal hosts and remote servers. In this paper, we propose D \({^2}\)C\(^2\) (Detection of DNS Covert Communication), a practical and flexible machine learning-based framework to detect DNS covert communications. D \({^2}\)C\(^2\) is an end-to-end framework contains modular detection models including supervised and unsupervised ones, which detect multiple types of threats efficiently and flexibly. We have deployed D \({^2}\)C\(^2\) in a large commercial bank with 100 millions of DNS queries per day. During the deployment, D \({^2}\)C\(^2\) detected over 4k anomalous DNS communications per day, achieving high precision over 0.97 on average. It uncovers a significant number of unnoticed security issues including seven compromised hosts in the enterprise network.

Yarin Ozery,Asaf Nadler,Asaf Shabtai

2023-07-06

Abstract:Data exfiltration over the DNS protocol and its detection have been researched extensively in recent years. Prior studies focused on offline detection methods, which although capable of detecting attacks, allow a large amount of data to be exfiltrated before the attack is detected and dealt with. In this paper, we introduce Information-based Heavy Hitters (ibHH), a real-time detection method which is based on live estimations of the amount of information transmitted to registered domains. ibHH uses constant-size memory and supports constant-time queries, which makes it suitable for deployment on recursive DNS servers to further reduce detection and response time. In our evaluation, we compared the performance of the proposed method to that of leading state-of-the-art DNS exfiltration detection methods on real-world datasets comprising over 250 billion DNS queries. The evaluation demonstrates ibHH's ability to successfully detect exfiltration rates as slow as 0.7B/s, with a false positive alert rate of less than 0.004, with significantly lower resource consumption compared to other methods.

Cryptography and Security

Huiwen Bai,Weiwei Liu,Guangjie Liu,Yuewei Dai,Shuhua Huang

DOI: https://doi.org/10.1109/access.2021.3085500

IF: 3.9

2021-01-01

IEEE Access

Abstract:Due to the capability of passing through heavily censored networks or gateway equipped with the traffic-monitoring module, DNS tunnel has been the dominant covert communication technique for command and control between the victim and the attacker in network attack events. Although the discovery of DNS tunnel has been intensively studied, the internal application behavior identification for DNS tunnels still remains a challenging problem. The fine-gained identification can help to reveal more behavior information wrapped in DNS tunnels. In this study, we investigate the spatial-temporal information from the raw packets to identify the internal application behaviors in DNS tunnels. Multi-dimensional features on packet length and timing for DNS tunnels with different internal application behaviors are incorporated with a machine-learning algorithm to identify the internal application behaviors in DNS tunnels. We consider 4 common types of application behaviors in our research, including browsing webpages, emailing, downloading data, and controlling the remote servers. The experimental results show that the proposed scheme can achieve higher identification accuracy with a much lower packet consuming rate when compared with the state-of-the-art internal protocol identification scheme. The experiment results depict that our proposed scheme is better in terms of F-score, which can reach 99% with only 100 packets.

Wei-Wei ZHANG,Jian GONG,Shang-Dong LIU,Xiao-Yan HU

DOI: https://doi.org/10.13328/j.cnki.jos.005186

2017-01-01

Abstract:Focusing on ISP backbone,this paper presents a method to detect malicious activities such as botnets,phishing and spam that threaten user security in the domain by monitoring DNS interaction messages through the network boundary in real time.The method depicts DNS behavior patterns based on dependency and position attribute.Then,the paper proposes a supervised classifier based DNS activity detecting algorithm DAOS (binary classifier for DNS activity observation system).Dependency attribute is used to describe external usage of the domain name from perspective of DNS customer,while position attribute is used to describe resource allocation of records in the zone file.Experimental results show that the algorithm,with a DNS data source in 2 hours,can achieve 90.5％ of accuracy,2.9％ of false positive,and 6.6％ of false negative without prior knowledge.If the observation is kept for a week,accuracy rises up to 93.9％,false positive and false negative can descend to 1.3％ and 4.8％.

Muhammad Dawood,Chunagbai Xiao,Shanshan Tu,Faiz Abdullah Alotaibi,Mrim M. Alnfiai,Muhammad Farhan

DOI: https://doi.org/10.7717/peerj-cs.2027

2024-05-28

PeerJ Computer Science

Abstract:This article explores detecting and categorizing network traffic data using machine-learning (ML) methods, specifically focusing on the Domain Name Server (DNS) protocol. DNS has long been susceptible to various security flaws, frequently exploited over time, making DNS abuse a major concern in cybersecurity. Despite advanced attack, tactics employed by attackers to steal data in real-time, ensuring security and privacy for DNS queries and answers remains challenging. The evolving landscape of internet services has allowed attackers to launch cyber-attacks on computer networks. However, implementing Secure Socket Layer (SSL)-encrypted Hyper Text Transfer Protocol (HTTP) transmission, known as HTTPS, has significantly reduced DNS-based assaults. To further enhance security and mitigate threats like man-in-the-middle attacks, the security community has developed the concept of DNS over HTTPS (DoH). DoH aims to combat the eavesdropping and tampering of DNS data during communication. This study employs a ML-based classification approach on a dataset for traffic analysis. The AdaBoost model effectively classified Malicious and Non-DoH traffic, with accuracies of 75% and 73% for DoH traffic. The support vector classification model with a Radial Basis Function (SVC-RBF) achieved a 76% accuracy in classifying between malicious and non-DoH traffic. The quadratic discriminant analysis (QDA) model achieved 99% accuracy in classifying malicious traffic and 98% in classifying non-DoH traffic.

computer science, information systems, artificial intelligence, theory & methods

Futai Zou,Linsen Li,Yue Wu,Jianhua Li,Siyu Zhang,Kaida Jiang

DOI: https://doi.org/10.1142/S0218194018400016

IF: 1.007

2018-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Domain-Flux malware is hard to detect because of the variable C&C (Command and Control) domains which were randomly generated by the technique of domain generation algorithm (DGA). In this paper, we propose a Domain-Flux malware detection approach based on DNS failure traffic. The approach fully leverages the behavior of DNS failure traffic to recognize nine features, and then mines the DGA-generated domains by a clustering algorithm and determinable rules. Theoretical analysis and experimental results verify its efficiency with both test dataset and real-world dataset. On the test dataset, our approach can achieve a true positive rate of 99.82% at false positive rate of 0.39%. On the real-world dataset, the approach can also achieve a relatively high precision of 98.3% and find out 197,026 DGA domains by analyzing DNS traffic in campus network for seven days. We found 1213 hosts of Domain-Flux malware existing on campus network, including the known Conficker, Fosniw and several new Domain-Flux malwares that have never been reported before. We classified 197,026 DGA domains and gave the representative generated patterns for a better understanding of the Domain-Flux mechanism.

Franco Palau,Carlos Catania,Jorge Guerra,Sebastian Garcia,Maria Rigaki

DOI: https://doi.org/10.48550/arXiv.2006.06122

2020-06-15

Abstract:Domain Name Service is a trusted protocol made for name resolution, but during past years some approaches have been developed to use it for data transfer. DNS Tunneling is a method where data is encoded inside DNS queries, allowing information exchange through the DNS. This characteristic is attractive to hackers who exploit DNS Tunneling method to establish bidirectional communication with machines infected with malware with the objective of exfiltrating data or sending instructions in an obfuscated way. To detect these threats fast and accurately, the present work proposes a detection approach based on a Convolutional Neural Network (CNN) with a minimal architecture complexity. Due to the lack of quality datasets for evaluating DNS Tunneling connections, we also present a detailed construction and description of a novel dataset that contains DNS Tunneling domains generated with five well-known DNS tools. Despite its simple architecture, the resulting CNN model correctly detected more than 92% of total Tunneling domains with a false positive rate close to 0.8%.

Cryptography and Security,Machine Learning

Minzhao Lyu,Hassan Habibi Gharakheili,Vijay Sivaraman

DOI: https://doi.org/10.1145/3547331

2022-07-08

Abstract:The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.

Cryptography and Security,Networking and Internet Architecture

Andreas Berg,Daniel Forsberg

DOI: https://doi.org/10.48550/arXiv.1906.11246

2019-06-26

Abstract:DNS is a distributed, fault tolerant system that avoids a single point of failure. As such it is an integral part of the internet as we use it today and hence deemed a safe protocol which is let through firewalls and proxies with no or little checks. This can be exploited by malicious agents. Network forensics is effective but struggles due to size of data and manual labour. This paper explores to what extent predictive models can be used to predict network traffic, what protocols are tunneled in the DNS protocol and more specifically whether the predictive performance is enhanced when analyzing DNS-queries and responses together and which feature set that can be used for DNS-tunneled network prediction. The tested protocols are SSH, SFTP and Telnet and the machine learning models used are Multi Layered Perceptron and Random Forests. To train the models we extract the IP Packet length, Name length and Name entropy of both the queries and responses in the DNS traffic. With an experimental research strategy it is empirically shown that the performance of the models increases when training the models on the query and respose pairs rather than using only queries or responses. The accuracy of the models is >83% and reduction in data size when features are extracted is roughly 95%. Our results provides evidence that machine learning is a valuable tool in detecting network protocols in a DNS tunnel and that only an small subset of network traffic is needed to detect this anomaly.

Cryptography and Security,Machine Learning

Rinkel Hananto,Charles Lim,Heru Purnomo Ipung

DOI: https://doi.org/10.1145/3199478.3199505

2018-03-16

Abstract:With more and more organization in the world rely on the Internet to do their business or activity, the malicious attackers are always looking for ways to penetrate in organization internal network to achieve their malicious goals. The malicious activities may include spam distribution, denial of service, adware, identity theft and many other security threats. Many of the security perimeter devices only able to detect network security threats from external, organization is left with many undetected or even unknown internal security threats. Many of these network security threats can be detected by monitoring and analyzing network traffic. One of the emerging threats is Domain Name System (DNS) Distributed Denial of Service (DDoS) attack, which flood the authoritative DNS server with large amount of DNS request. We introduce a new method to detect DDoS attack by using Netflow traffic as the early indicator of DDOS attacks and DNS traffic to validate the DNS DDOS attack. We also showed that by measuring statistical entropy of Netflow traffic and statistical values of DNS NXDOMAIN response, our proposed model could be used to detect either low volume or high volume DDoS attack.