Guangyuan Gao,Weina Niu,Jiacheng Gong,Dujuan Gu,Song Li,Mingxue Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1109/tifs.2024.3443596

IF: 7.231

2024-08-24

IEEE Transactions on Information Forensics and Security

Abstract:DNS tunnels, due to their versatility and concealment, have become a preferred method for attackers to execute Command and Control (C&C) attacks, posing a significant security threat to terminal devices. Therefore, the efficient and accurate detection of DNS tunnels is important in reducing the economic losses and privacy risks faced by both enterprises and individuals. Despite notable advancements in the research of intelligent detection of DNS tunnels, existing model-based approaches predominantly concentrate on the surface-level features of domain names or packet payloads. This narrow focus leads to low detection accuracy when dealing with unknown DNS tunnel attacks and traffic from wildcard DNS. Furthermore, these methods struggle with accurately identifying DNS tunneling tools, complicating the task of swiftly locating and mitigating malware for analysts. This paper proposes GraphTunnel, a framework based on graph neural networks for detecting DNS tunnels and identifying tunneling tools. It delves into the correlations among DNS resolutions to construct paths that represent the recursive resolution process of DNS. By using central nodes that denote the gateways, these paths are connected and transformed into graph structures. Concurrently, it employs GraphSage to aggregate the features of nodes and their edges in the graph, enabling effective detection of DNS tunnels. Additionally, GraphTunnel utilizes the G2M algorithm to capture the statistical features of nodes in the graph and maps them into grayscale images, which are then processed by a CNN for multi-class identification of DNS tunneling tools. Experimental results demonstrate that in non-wildcard DNS scenarios, GraphTunnel achieves a 100% accuracy in DNS tunnel detection, encompassing unknown DNS tunnels. Even in high false-positive environments caused by wildcard DNS, GraphTunnel maintains an F1-Score of 99.78%. Moreover, GraphTunnel can identify DNS tunneling tools with an accuracy rate exceeding 98.57%, enhancing the rapid mitigation capabilities of emergency responders in dealing with malicious DNS tunnels.

computer science, theory & methods,engineering, electrical & electronic

Cheng Qi,Xiaojun Chen,Cui Xu,Jinqiao Shi,Peipeng Liu

DOI: https://doi.org/10.1016/j.procs.2013.05.109

2013-01-01

Procedia Computer Science

Abstract:DNS (Domain Name System) tunnels can provide high-bandwidth covert channels that pose a significant risk to sensitive information inside the company networks. Sensitive data are embedded in DNS query and response packets to exfiltrate and infiltrate the network boundaries. However, traditional Intrusion Detection Systems (IDS) and Firewalls let DNS packets pass without any checking. This paper explores a novel approach to detect in real time whether a DNS packet is in a tunnel by scoring the query domain based on bigram. Experiment shows that the bigrams of domains follow Zipf's law whereas tunnelled traffic is obedient to random distribution. The score mechanism in detecting DNS tunnels is proved to be usable theoretically and is confirmed in the experiment. Our approach can get a high accuracy of 98.74% and low false positive of 1.24%.

Jingkun Liu,Shuhao Li,Yongzheng Zhang,Jun Xiao,Peng Chang,Chengwei Peng

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.256

2017-01-01

Abstract:DNS tunnel is a typical Internet covert channel used by attackers or bots to evade the malicious activities detection. The stolen information is encoded and encapsulated into the DNS packets to transfer. Since DNS traffic is common, most of the firewalls directly allow it to pass and IDS does not trigger an alarm with it. The popular signature-based detection methods and threshold-based methods are not flexible and make high false alarms. The approaches based on characters distribution features also do not perform well, because attackers can modify the encoding method to disturb the characters distributions.In this paper, we propose an effective and applicable DNS tunnel detection mechanism. The prototype system is deployed at the Recursive DNS for tunnel identification. We use four kinds of features including time-interval features, request packet size features, record type features and subdomain entropy features. We evaluate the performance of our proposal with Support Vector Machine, Decision Tree and Logistical Regression. The experiments show that the method can achieve high detection accuracy of 99.96%.

Yang Zhao,Hongzhi Ye,Lingzi Li,Cheng Huang,Tao Zhang

DOI: https://doi.org/10.1109/dsc50466.2020.00015

2020-01-01

Abstract:DNS server is one of the most important Internet infrastructures in modern society. DNS Tunnel technology is firstly used to get free WiFi, more and more security incidents using DNS protocol to transmit information or illegal commands in recently advanced persistent threat attacks. Most security products such as firewalls, intrusion detection systems and intrusion prevention systems rarely detect DNS communication, which provides naturally command and control communication channel for attackers. The traditional detection methods only focus on the network communication feature for DNS tunnel tools, such as iodine, dnscat2 and dns2tcp. Then many machine learning detection methods are introduced to automatically learn the abstract features and classify the illegal communication method, but the detection result is not still satisfied with high accurate and low false positive. In order to solve this issue, the paper proposed an automatically detecting methods based on session behaviors and random forest algorithm. The experiments proved the method could achieve high accuracy (99.79%) with recall (98.67%), which is higher than other general algorithms.

Xin Ma,Shize Guo,Zhisong Pan,Bin Liu,Kaolin Jiang,Ming Chen,Shijiao Tang

DOI: https://doi.org/10.48550/arXiv.2207.06641

2022-07-14

Abstract:A covert attack method often used by APT organizations is the DNS tunnel, which is used to pass information by constructing C2 networks. And they often use the method of frequently changing domain names and server IP addresses to evade monitoring, which makes it extremely difficult to detect them. However, they carry DNS tunnel information traffic in normal DNS communication, which inevitably brings anomalies in some statistical characteristics of DNS traffic, so that it would provide security personnel with the opportunity to find them. Based on the above considerations, this paper studies the statistical discovery methodology of typical DNS tunnel high-frequency query behavior. Firstly, we analyze the distribution of the DNS domain name length and times and finds that the DNS domain name length and times follow the normal distribution law. Secondly, based on this distribution law, we propose a method for detecting and discovering high-frequency DNS query behaviors of non-single domain names based on the statistical rules of domain name length and frequency and we also give three theorems as theoretical support. Thirdly, we design a sliding window difference scheme based on the above method. Experimental results show that our method has a higher detection rate. At the same time, since our method does not need to construct a data set, it has better practicability in detecting unknown DNS tunnels. This also shows that our detection method based on mathematical models can effectively avoid the dilemma for machine learning methods that must have useful training data sets, and has strong practical significance.

Networking and Internet Architecture

Siyu Zhang,Zhipeng Han,Kaida Jiang

DOI: https://doi.org/10.1109/ICPICS58376.2023.10235404

2023-01-01

Abstract:In recent years, malicious software that utilizes covert channels to transmit private data has become increasingly prevalent. The privacy information of affected users, such as accounts and passwords, is quietly transmitted to attackers. Hackers commonly employ covert tunnels that utilize the Domain Name System (DNS) to achieve this, transmitting stolen information through malicious domains. Traditional DNS tunneling techniques generate significant communication traffic, and related research has delved deeper into this area. However, they face challenges in detecting malicious software that transmits data at low rates. This paper proposes a DNS data leakage detection algorithm based on anomaly detection models. Through experimental verification combining simulated attacks with real data, this algorithm demonstrates high detection rates for low-rate data leakage channels, while also maintaining good detection performance for traditional DNS tunnels.

Yong-jie WANG,Jing-juP LIU

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.07.021

2014-01-01

Abstract:The development of protocol covert tunnel technology threatens the security of network information system. Mastering the principle of covert tunnel based on DNS protocol is very important to design aimed measures for network system security. On the basis of this, this paper proposes a kind of covert tunnel technology based on DNS protocol. The technology utilizes the kernel standing of DNS system as network infrastructure, which can penetrate security defense policy covertly. The structure and principle of DNS system are introduced briefly. The principle and key technologies such as data encoding, evading detection, communication reliably, speed control are studied. Analysis results show that the technology has well reliability, strong coverture and high communication efficiency.

Kemeng Wu,Yongzheng Zhang,Tao Yin

DOI: https://doi.org/10.1109/TrustCom50675.2020.00044

2020-01-01

Abstract:The domain name system(DNS) protocol is one of the most versatile protocols in the world. If a hacker can control the DNS protocol to pass messages and control the host of victim, then no firewall can effectively intercept the DNS protocol. In recent years, the DNS tunnel is one of the most dangerous threats in the field of steganography, which supports a wide range of criminal activities. In order to detect and distinguish different types of DNS tunnels, we present a three-stage DNS tunnel detection method based on character feature extraction. This novel method named FTPB which uses feature extraction to filter out the domain names of the DNS tunnels by feature extraction classifier and then converts them into a high-dimensional vector by term frequency-inverse document frequency(TF-IDF), and reduces the dimension to 2 by principal components analysis(PCA). Ultimately, the data is classified by a binary vector classifier. Our method only needs to extract the character information of the domain names, and can effectively discover different types of DNS tunnels. Compared with traditional detection methods that can only detect DNS tunnels based on content, our research method can also have the ability to detect DNS tunnels based on codebooks, and the outcome of the evaluation substantially prove the efficacy of our method with accuracy and precision are more than 99%.

Zheng Wang

DOI: https://doi.org/10.48550/arXiv.1605.01401

2016-05-04

Cryptography and Security

Abstract:This paper proposes a defense scheme against malicious use of DNS tunnel. A tunnel validator is designed to provide trustworthy tunnel-aware defensive recursive service. In addition to the detection algorithm of malicious tunnel domains, the tunnel validation relies on registered tunnel domains as whitelist and identified malicious tunnel domains as blacklist. A benign tunnel user is thus motivated to register its tunnel domain before using it. Through the tunnel validation, the secure domains are allowed to the recursive service provided by the tunnel validator and the insecure domains are blocked. All inbound suspicious DNS queries are recorded and stored for forensics and future malicious tunnel detection by the tunnel validator.

Franco Palau,Carlos Catania,Jorge Guerra,Sebastian Garcia,Maria Rigaki

DOI: https://doi.org/10.48550/arXiv.2006.06122

2020-06-15

Abstract:Domain Name Service is a trusted protocol made for name resolution, but during past years some approaches have been developed to use it for data transfer. DNS Tunneling is a method where data is encoded inside DNS queries, allowing information exchange through the DNS. This characteristic is attractive to hackers who exploit DNS Tunneling method to establish bidirectional communication with machines infected with malware with the objective of exfiltrating data or sending instructions in an obfuscated way. To detect these threats fast and accurately, the present work proposes a detection approach based on a Convolutional Neural Network (CNN) with a minimal architecture complexity. Due to the lack of quality datasets for evaluating DNS Tunneling connections, we also present a detailed construction and description of a novel dataset that contains DNS Tunneling domains generated with five well-known DNS tools. Despite its simple architecture, the resulting CNN model correctly detected more than 92% of total Tunneling domains with a false positive rate close to 0.8%.

Cryptography and Security,Machine Learning

Huiwen Bai,Guangjie Liu,Jiangtao Zhai,Weiwei Liu,Xiaopeng Ji,Luhui Yang,Yuewei Dai

DOI: https://doi.org/10.4218/etrij.2019-0299

2020-01-01

ETRI Journal

Abstract:DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal-spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.

Xingguo Li,Junfeng Wang,Xiaosong Zhang

DOI: https://doi.org/10.3390/fi9040055

2017-01-01

Future Internet

Abstract:With the help of botnets, intruders can implement a remote control on infected machines and perform various malicious actions. Domain Name System (DNS) is very famous for botnets to locate command and control (C and C) servers, which enormously strengthens a botnet's survivability to evade detection. This paper focuses on evasion and detection techniques of DNS-based botnets and gives a review of this field for a general summary of all these contributions. Some important topics, including technological background, evasion and detection, and alleviation of botnets, are discussed. We also point out the future research direction of detecting and mitigating DNS-based botnets. To the best of our knowledge, this topic gives a specialized and systematic study of the DNS-based botnet evading and detecting techniques in a new era and is useful for researchers in related fields.

Shenfei Pei,feiping Nie,Rong Wang,Jun Wu,Qinglong Chang,Liang Zhang

DOI: https://doi.org/10.2139/ssrn.4170486

2022-01-01

SSRN Electronic Journal

Abstract:Arbitrary data on a computer having external network connectivity can be sent to the attacker by making Domain Name System ( DNS ) queries. This technique is known as DNS tunneling. DNS tunneling detection can be seen as a classification task in the view of machine learning. However, the traditional classifiers cannot accurately predict the classes of queries whose patterns do not appear during training and these queries are inevitable in the live network. For convenience, we call them unknown queries. This paper first discussed the risks of DNS tunneling and the difficulties faced by DNS tunneling detection. Then we described DNS tunneling detection as a machine learning problem, i.e., Classification with New Patterns Emerging ( CNPE ), and presented its definition. Finally, we proposed a forest-based classifier to tackle this problem. Our model can identify unknown samples as a new class as well as accurately classify samples that are not unknown. The computational overhead of our model is near-linear with respect to the number of samples, and it is memory-friendly. Experiments are conducted on queries obtained from the live network and on public datasets . Experimental results show the effectiveness of the proposed algorithm.

Minzhao Lyu,Hassan Habibi Gharakheili,Vijay Sivaraman

DOI: https://doi.org/10.1145/3547331

2022-07-08

Abstract:The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.

Cryptography and Security,Networking and Internet Architecture

Huiwen Bai,Weiwei Liu,Guangjie Liu,Yuewei Dai,Shuhua Huang

DOI: https://doi.org/10.1109/access.2021.3085500

IF: 3.9

2021-01-01

IEEE Access

Abstract:Due to the capability of passing through heavily censored networks or gateway equipped with the traffic-monitoring module, DNS tunnel has been the dominant covert communication technique for command and control between the victim and the attacker in network attack events. Although the discovery of DNS tunnel has been intensively studied, the internal application behavior identification for DNS tunnels still remains a challenging problem. The fine-gained identification can help to reveal more behavior information wrapped in DNS tunnels. In this study, we investigate the spatial-temporal information from the raw packets to identify the internal application behaviors in DNS tunnels. Multi-dimensional features on packet length and timing for DNS tunnels with different internal application behaviors are incorporated with a machine-learning algorithm to identify the internal application behaviors in DNS tunnels. We consider 4 common types of application behaviors in our research, including browsing webpages, emailing, downloading data, and controlling the remote servers. The experimental results show that the proposed scheme can achieve higher identification accuracy with a much lower packet consuming rate when compared with the state-of-the-art internal protocol identification scheme. The experiment results depict that our proposed scheme is better in terms of F-score, which can reach 99% with only 100 packets.

Senmiao Wang,Luli Sun,Sujuan Qin,WenMin Li,Wentao Liu

DOI: https://doi.org/10.1016/j.cose.2022.102818

2022-09-01

Abstract:Nowadays, DNS channel attacks on mobile devices have become a challenging threat. Attackers usually attack mobile devices and steal information with the help of DNS channel. It is difficult for users to detect this kind of attack, especially when attackers covert sensitive information in the DNS response. In this paper, we proposed a method for DNS tunnel detection based on isolated forest for Android. We constructed a framework for mobile devices to collect DNS tunnel traffic. Based on the analysis of DNS tunnel traffic generated on mobile devices, we extracted features based on DNS request and response and constructed the feature set. We proposed a DNS tunnel detector, KRTunnel, for mobile devices. Experiments showed that KRTunnel can identify unseen DNS tunnel traffic with the accuracy of 98.1%.

computer science, information systems

Andreas Berg,Daniel Forsberg

DOI: https://doi.org/10.48550/arXiv.1906.11246

2019-06-26

Abstract:DNS is a distributed, fault tolerant system that avoids a single point of failure. As such it is an integral part of the internet as we use it today and hence deemed a safe protocol which is let through firewalls and proxies with no or little checks. This can be exploited by malicious agents. Network forensics is effective but struggles due to size of data and manual labour. This paper explores to what extent predictive models can be used to predict network traffic, what protocols are tunneled in the DNS protocol and more specifically whether the predictive performance is enhanced when analyzing DNS-queries and responses together and which feature set that can be used for DNS-tunneled network prediction. The tested protocols are SSH, SFTP and Telnet and the machine learning models used are Multi Layered Perceptron and Random Forests. To train the models we extract the IP Packet length, Name length and Name entropy of both the queries and responses in the DNS traffic. With an experimental research strategy it is empirically shown that the performance of the models increases when training the models on the query and respose pairs rather than using only queries or responses. The accuracy of the models is >83% and reduction in data size when features are extracted is roughly 95%. Our results provides evidence that machine learning is a valuable tool in detecting network protocols in a DNS tunnel and that only an small subset of network traffic is needed to detect this anomaly.

Cryptography and Security,Machine Learning

谷传征,王轶骏,薛质

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.12.048

2011-01-01

Abstract:Covert channel can be employed to transfer information in a security-policy-breaking manner. Recently, covert channels in computer network protocols becomes a hot topic DNS protocol underlies the conversion of hostnames into IP address on the internet, and as a bidirectional protocol, is required by most computer networks, so it possible to establish, based on DNS protocol the covert channel. This paper first presents the concept of covert channel and DNS tunnel, the core of the DNS tunnel system, then describes the use demonstration of DNS tunnel tool, and finally proposes some improvements for more effective data transfer by DNS tunnel.

Kemeng Wu,Yongzheng Zhang,Tao Yin

DOI: https://doi.org/10.1109/ICC40277.2020.9149162

2020-01-01

Abstract:The DNS protocol is one of the most important network infrastructure protocols. The encrypted information based on this protocol will not be intercepted by the firewall, so the attacker uses this vulnerability to pass private data through the establishment of DNS tunnels and avoids the security inspection. In order to detect the DNS tunnel conveniently and effectively, we present a novel method that uses Autoencoder to learn latent representation of different datasets. Because the feature is not extracted manually, we show how Autoencoder(AE) can automatically learn the concept of semantic similarity among features of normal traffic. We propose a novel method named TDAE which can detect DNS tunnel traffics using Autoencoder algorithms. To verify the validity of our method, we select a labeled dataset and a public and unlabeled dataset as our training set. The experimental results show that the recall rate can exceed 0.9834 on the labeled dataset and 0.9313 on the SINGH-data [1].

Shaojie Chen,Bo Lang,Hongyu Liu,Duokun Li,Chuan Gao

DOI: https://doi.org/10.1016/j.cose.2020.102095

2021-05-01

Abstract:<p>DNS is a kind of basic network protocol that is rarely blocked by firewalls; therefore, it is used to build covert channels. Malicious DNS covert channels play an important role in data exfiltration and botnets and do great harm to the network environment. To detect DNS covert channels, researchers extract multiple features from different perspectives of DNS traffic. At present, many detection methods using machine learning are based on manual features, which usually include complex data preprocessing and feature extraction. Additionally, these methods seriously rely on expert knowledge, and some potential features are hard to discover. To address these problems, we propose a DNS covert channel detection method using the LSTM model, which does not rely on feature engineering. First, we use the FQDNs of DNS packets as the input and implement an end-to-end detection approach using LSTM. Then, we filter the detection results of the LSTM model with the grouped filtering method to further reduce the false positive rate. Using the packets from the Internet and the packets generated by running different DNS covert channel tools, we construct our datasets, in which generalization test datasets are included in addition to the FQDN and the DNS packet datasets for model training. Our method achieves an accuracy rate of 99.38% on the test dataset and a recall rate of 98.52% on the generalization test dataset, which are better than the state-of-the-art methods. This method is also tested in a real network environment and has detected multiple malicious DNS covert channel events.</p>

computer science, information systems