Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Ruming Tang,Cheng Huang,Yanti Zhou,Haoxian Wu,Xianglin Lu,Yongqian Sun,Qi Li,Jinjin Li,Weiyao Huang,Siyuan Sun,Dan Pei

DOI: https://doi.org/10.1007/978-3-030-63095-9_1

2020-01-01

Abstract:DNS is a key protocol of the Internet infrastructure, which ensures network connectivity. However, DNS suffers from various threats. In particular, DNS covert communication is one serious threat in enterprise networks, by which attackers establish stealthy communications between internal hosts and remote servers. In this paper, we propose D \({^2}\)C\(^2\) (Detection of DNS Covert Communication), a practical and flexible machine learning-based framework to detect DNS covert communications. D \({^2}\)C\(^2\) is an end-to-end framework contains modular detection models including supervised and unsupervised ones, which detect multiple types of threats efficiently and flexibly. We have deployed D \({^2}\)C\(^2\) in a large commercial bank with 100 millions of DNS queries per day. During the deployment, D \({^2}\)C\(^2\) detected over 4k anomalous DNS communications per day, achieving high precision over 0.97 on average. It uncovers a significant number of unnoticed security issues including seven compromised hosts in the enterprise network.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Franco Palau,Carlos Catania,Jorge Guerra,Sebastian Garcia,Maria Rigaki

DOI: https://doi.org/10.48550/arXiv.2006.06122

2020-06-15

Abstract:Domain Name Service is a trusted protocol made for name resolution, but during past years some approaches have been developed to use it for data transfer. DNS Tunneling is a method where data is encoded inside DNS queries, allowing information exchange through the DNS. This characteristic is attractive to hackers who exploit DNS Tunneling method to establish bidirectional communication with machines infected with malware with the objective of exfiltrating data or sending instructions in an obfuscated way. To detect these threats fast and accurately, the present work proposes a detection approach based on a Convolutional Neural Network (CNN) with a minimal architecture complexity. Due to the lack of quality datasets for evaluating DNS Tunneling connections, we also present a detailed construction and description of a novel dataset that contains DNS Tunneling domains generated with five well-known DNS tools. Despite its simple architecture, the resulting CNN model correctly detected more than 92% of total Tunneling domains with a false positive rate close to 0.8%.

Cryptography and Security,Machine Learning

Heyu Li,Zhangmeizhi Li,Shuyan Zhang,Xiao Pu

DOI: https://doi.org/10.1038/s41598-024-81189-1

IF: 4.6

2024-12-06

Scientific Reports

Abstract:With the widespread application of the Internet, network security issues have become increasingly prominent. As an important infrastructure of the Internet, the domain name server has been attacked in various forms. Traditional methods for detecting malicious domain servers are usually based on rules or feature engineering, requiring a large amount of manual participation and rule library updates. These methods cannot adapt to the constantly changing threat environment. In response to these issues, this study first improves the Transformer by adjusting its attention head and encoding method. Then, the model is combined with convolutional neural networks. Finally, a block-based ensemble classifier is used for classification detection. The relevant outcomes showed that the average accuracy score of the proposed method was as high as 95.8 points, the average detection time score was 96.8 points, the average feature extraction ability score of the model was 96.3 points, and the overall performance score was 97.6 points. This method has significant advantages over traditional methods in terms of accuracy and detection time, providing a new tool for detecting malicious domain servers.

multidisciplinary sciences

Yongjie Wang,Chuanxin Shen,Dongdong Hou,Xinli Xiong,Yang Li

DOI: https://doi.org/10.3390/app122412644

2022-12-09

Applied Sciences

Abstract:In this paper, in order to accurately detect Domain Name System (DNS) covert channels based on DNS over HTTPS (DoH) encryption and to solve the problems of weak single-feature differentiation and poor performance in the existing detection methods, we have designed a DoH-encrypted DNS covert channel detection method based on features fusion, called FF-MR. FF-MR is based on a Multi-Head Attention and Residual Neural Network. It fuses session statistical features with multi-channel session byte sequence features. Some important features that play a key role in the detection task are screened out of the fused features through the calculation of the Multi-Head Attention mechanism. Finally, a Multi-Layer Perceptron (MLP) is used to detect encrypted DNS covert channels. By considering both global and focused features, the main idea of FF-MR is that the degree of correlation between each feature and all other features is expressed as an attention weight. Thus, features are re-represented as the result of the weighted fusion of all features using the Multi-Head Attention mechanism. Focusing on certain important features according to the distribution of attention weights improves the detection performance. While detecting the traffic in encrypted DNS covert channels, FF-MR can also accurately identify encrypted traffic generated by the three DNS covert channel tools. Experiments on the CIRA-CIC-DoHBrw-2020 dataset show that the macro-averaging recall and precision of the FF-MR method reach 99.73% and 99.72%, respectively, and the macro-averaging F1-Score reached 0.9978, which is up to 4.56% higher than the existing methods compared in the paper. FF-MR achieves at most an 11.32% improvement in macro-averaging F1-Score in identifying three encrypted DNS covert channels, indicating that FF-MR has a strong ability to detect and identify DoH-encrypted DNS covert channels.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Yue Wang,Anmin Zhou,Shan Liao,Rongfeng Zheng,Rong Hu,Lei Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108322

IF: 5.493

2021-10-01

Computer Networks

Abstract:<p>Domain Name System (DNS) tunnels, established between the controlled host and master server disguised as the authoritative domain name server, can be used as a secret data communication channel for malicious activities. Owing to the ready evasion of the DNS traffic to bypass the network security mechanism, DNS tunnelling can cause severe damage. Thus, an in-depth and comprehensive understanding of the various detection technologies is of considerable importance when facing this type of threat. However, most of the existing reviews focus on a single aspect of the DNS tunnel detection technologies, such as methods based on machine learning, traffic, and payload analysis. In addition, few studies have conducted comprehensive investigation that includes a sequentially integrated range of literature in this researchfield, or have analysed the latest literature on DNS tunnels. This paper reviews these detection technologies from a novel perspective of rule-based and model-based methods with descriptions and analyses of the DNS-based tools and their corresponding features. To the best of our knowledge, this is the first study to comprehensively discuss and analyse DNS tunnel detection in a novel and specific classification fashion from various aspects in detail, covering almost all the detection methods developed from 2006 to 2020. Furthermore, a comparative analysis of detection methods and several suggestions for future research directions are presented.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

XiangDong Huang,Hao Li,Jiajia Liu,FengChun Liu,Jian Wang,BaoShan Xie,BaoPing Chen,Qi Zhang,Tao Xue

DOI: https://doi.org/10.1155/2022/9241670

IF: 3.12

2022-06-26

Computational Intelligence and Neuroscience

Abstract:With the rapid development of the Internet, malicious domain names pose more and more serious threats to many fields, such as network security and social security, and there have been many research results on malicious domain detection. This article proposes a malicious domain name detection model based on improved deep learning, which can combine the advantages of three different network models, convolutional neural network (CNN), temporal convolutional network (TCN), and long short-term memory network (LSTM) in malicious domain name detection, to obtain a better detection effect than that of the original single or two models. Experiments show that the effect of the improved deep learning model proposed in this article is better than that of the combined model of CNN and LSTM or the combined model of CNN and TCN, and the accuracy and regression rates reached 99.76% and 98.81%, respectively.

mathematical & computational biology,neurosciences

Andreas Berg,Daniel Forsberg

DOI: https://doi.org/10.48550/arXiv.1906.11246

2019-06-26

Abstract:DNS is a distributed, fault tolerant system that avoids a single point of failure. As such it is an integral part of the internet as we use it today and hence deemed a safe protocol which is let through firewalls and proxies with no or little checks. This can be exploited by malicious agents. Network forensics is effective but struggles due to size of data and manual labour. This paper explores to what extent predictive models can be used to predict network traffic, what protocols are tunneled in the DNS protocol and more specifically whether the predictive performance is enhanced when analyzing DNS-queries and responses together and which feature set that can be used for DNS-tunneled network prediction. The tested protocols are SSH, SFTP and Telnet and the machine learning models used are Multi Layered Perceptron and Random Forests. To train the models we extract the IP Packet length, Name length and Name entropy of both the queries and responses in the DNS traffic. With an experimental research strategy it is empirically shown that the performance of the models increases when training the models on the query and respose pairs rather than using only queries or responses. The accuracy of the models is >83% and reduction in data size when features are extracted is roughly 95%. Our results provides evidence that machine learning is a valuable tool in detecting network protocols in a DNS tunnel and that only an small subset of network traffic is needed to detect this anomaly.

Cryptography and Security,Machine Learning

Xin Ma,Shize Guo,Zhisong Pan,Bin Liu,Kaolin Jiang,Ming Chen,Shijiao Tang

DOI: https://doi.org/10.48550/arXiv.2207.06641

2022-07-14

Abstract:A covert attack method often used by APT organizations is the DNS tunnel, which is used to pass information by constructing C2 networks. And they often use the method of frequently changing domain names and server IP addresses to evade monitoring, which makes it extremely difficult to detect them. However, they carry DNS tunnel information traffic in normal DNS communication, which inevitably brings anomalies in some statistical characteristics of DNS traffic, so that it would provide security personnel with the opportunity to find them. Based on the above considerations, this paper studies the statistical discovery methodology of typical DNS tunnel high-frequency query behavior. Firstly, we analyze the distribution of the DNS domain name length and times and finds that the DNS domain name length and times follow the normal distribution law. Secondly, based on this distribution law, we propose a method for detecting and discovering high-frequency DNS query behaviors of non-single domain names based on the statistical rules of domain name length and frequency and we also give three theorems as theoretical support. Thirdly, we design a sliding window difference scheme based on the above method. Experimental results show that our method has a higher detection rate. At the same time, since our method does not need to construct a data set, it has better practicability in detecting unknown DNS tunnels. This also shows that our detection method based on mathematical models can effectively avoid the dilemma for machine learning methods that must have useful training data sets, and has strong practical significance.

Networking and Internet Architecture

Muhammad Dawood,Chunagbai Xiao,Shanshan Tu,Faiz Abdullah Alotaibi,Mrim M. Alnfiai,Muhammad Farhan

DOI: https://doi.org/10.7717/peerj-cs.2027

2024-05-28

PeerJ Computer Science

Abstract:This article explores detecting and categorizing network traffic data using machine-learning (ML) methods, specifically focusing on the Domain Name Server (DNS) protocol. DNS has long been susceptible to various security flaws, frequently exploited over time, making DNS abuse a major concern in cybersecurity. Despite advanced attack, tactics employed by attackers to steal data in real-time, ensuring security and privacy for DNS queries and answers remains challenging. The evolving landscape of internet services has allowed attackers to launch cyber-attacks on computer networks. However, implementing Secure Socket Layer (SSL)-encrypted Hyper Text Transfer Protocol (HTTP) transmission, known as HTTPS, has significantly reduced DNS-based assaults. To further enhance security and mitigate threats like man-in-the-middle attacks, the security community has developed the concept of DNS over HTTPS (DoH). DoH aims to combat the eavesdropping and tampering of DNS data during communication. This study employs a ML-based classification approach on a dataset for traffic analysis. The AdaBoost model effectively classified Malicious and Non-DoH traffic, with accuracies of 75% and 73% for DoH traffic. The support vector classification model with a Radial Basis Function (SVC-RBF) achieved a 76% accuracy in classifying between malicious and non-DoH traffic. The quadratic discriminant analysis (QDA) model achieved 99% accuracy in classifying malicious traffic and 98% in classifying non-DoH traffic.

computer science, information systems, artificial intelligence, theory & methods

Xiaoqing Sun,Zhiliang Wang,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.1016/j.cose.2020.102057

IF: 5.105

2020-01-01

Computers & Security

Abstract:As an essential network service, the Domain Name System (DNS) is widely abused by attackers, making malicious domain detection a crucial task when combating cybercrimes. The increasing sophistication of attackers calls for new detection methods against novel threats and evasions. In this paper, we analyze the DNS scene and design an intelligent malicious domain detection system, named DeepDom. With joint consideration of both domain’s local features and their global associations, DeepDom is more accurate and is harder for attackers to evade. In DeepDom, we first represent the DNS scene as a Heterogeneous Information Network (HIN) with diverse entities like clients, domains, IP addresses, and accounts to capture richer information. Then, considering the heterogeneous and dynamic nature of DNS, we propose a novel Graph Convolutional Network (GCN) method named SHetGCN to inductively classify domain nodes in the HIN. By guiding the convolution operations with meta-path based short random walks, SHetGCN can jointly handle node features together with structural information and support inductive node embedding. We build a prototype of DeepDom and validate its effectiveness with comprehensive experiments over the DNS data collected from a real-world network, CERNET2. The comparison results demonstrate that our approaches outperform other state-of-the-art techniques.

Qasem Abu Al-Haija,Manar Alohaly,Ammar Odeh

DOI: https://doi.org/10.3390/s23073489

2023-03-27

Abstract:The Domain Name System (DNS) protocol essentially translates domain names to IP addresses, enabling browsers to load and utilize Internet resources. Despite its major role, DNS is vulnerable to various security loopholes that attackers have continually abused. Therefore, delivering secure DNS traffic has become challenging since attackers use advanced and fast malicious information-stealing approaches. To overcome DNS vulnerabilities, the DNS over HTTPS (DoH) protocol was introduced to improve the security of the DNS protocol by encrypting the DNS traffic and communicating it over a covert network channel. This paper proposes a lightweight, double-stage scheme to identify malicious DoH traffic using a hybrid learning approach. The system comprises two layers. At the first layer, the traffic is examined using random fine trees (RF) and identified as DoH traffic or non-DoH traffic. At the second layer, the DoH traffic is further investigated using Adaboost trees (ADT) and identified as benign DoH or malicious DoH. Specifically, the proposed system is lightweight since it works with the least number of features (using only six out of thirty-three features) selected using principal component analysis (PCA) and minimizes the number of samples produced using a random under-sampling (RUS) approach. The experiential evaluation reported a high-performance system with a predictive accuracy of 99.4% and 100% and a predictive overhead of 0.83 µs and 2.27 µs for layer one and layer two, respectively. Hence, the reported results are superior and surpass existing models, given that our proposed model uses only 18% of the feature set and 17% of the sample set, distributed in balanced classes.

Jan Fesl,Michal Konopa,Jiří Jelínek

DOI: https://doi.org/10.11591/ijece.v13i6.pp6691-6700

2023-12-01

International Journal of Electrical and Computer Engineering (IJECE)

Abstract:Domain name system (DNS) over hypertext transfer protocol secure (HTTPS) (DoH) is currently a new standard for secure communication between DNS servers and end-users. Secure sockets layer (SSL)/transport layer security (TLS) encryption should guarantee the user a high level of privacy regarding the impossibility of data content decryption and protocol identification. Our team created a DoH data set from captured real network traffic and proposed novel deep-learning-based detection models allowing encrypted DoH traffic identification. Our detection models were trained on the network traffic from the Czech top-level domain maintainer, Czech network interchange center (CZ.NIC), and successfully applied to the identification of the DoH traffic from Cloudflare. The reached detection model accuracy was near 95%, and it is clear that the encryption does not prohibit the DoH protocol identification.

Xiaoqing Sun,Mingkai Tong,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.1909.01590

2019-09-04

Cryptography and Security

Abstract:Domain name system (DNS) is a crucial part of the Internet, yet has been widely exploited by cyber attackers. Apart from making static methods like blacklists or sinkholes infeasible, some weasel attackers can even bypass detection systems with machine learning based classifiers. As a solution to this problem, we propose a robust domain detection system named HinDom. Instead of relying on manually selected features, HinDom models the DNS scene as a Heterogeneous Information Network (HIN) consist of clients, domains, IP addresses and their diverse relationships. Besides, the metapath-based transductive classification method enables HinDom to detect malicious domains with only a small fraction of labeled samples. So far as we know, this is the first work to apply HIN in DNS analysis. We build a prototype of HinDom and evaluate it in CERNET2 and TUNET. The results reveal that HinDom is accurate, robust and can identify previously unknown malicious domains.

Chang Deliang,Zhang Qianli,Li Xing

DOI: https://doi.org/10.13245/j.hust.161123

2016-01-01

Abstract:To solve the problems that many approaches focus on flow analysis ,which is unrealistic for a large‐scale network ,a method of user online detection algorithm was proposed based on passive DNS log analysis .T his method avoided the complexity of traffic or raw packet analysis by utilizing DNS (domain name system) logs ,and exploited the silence of users′DNS activities when they were offline to identify users′online time length or join/departure time .The method was validated with real‐world data from the campus network of Tsinghua University ,with a 90 .6% precision rate and a recall rate of 96 .3% .Further study indicates that the users of wireless network often have shorter online time length and change faster ,and the network characteristics in workdays are different from weekends . These results show that this algorithm is capable of being utilized in a real‐world large‐scale network .

Xiaoqing Sun,Jiahai Yang,Zhiliang Wang,Heng Liu

DOI: https://doi.org/10.1109/noms47738.2020.9110462

2020-01-01

Abstract:As a fundamental component of the Internet, Domain Name System (DNS) is widely abused by attackers in various cybercrimes, making malicious domain detection an essential task in network defenses. However, some well-crafted attacks with tricky techniques can not only bypass blacklists but also make some machine learning-based detection systems infeasible. In this paper, we design HGDom, an accurate and robust malicious domain detection system based on a heterogeneous graph convolutional network method. First, we jointly analyze domain features as well as the complex relations among domains, clients, and IP addresses. To capture richer information, we introduce a Heterogeneous Information Network (HIN) to model the DNS scene. Then, we propose a novel representation method named MAGCN. With a meta-path-based attention mechanism, it can handle node features and the graph structure in HIN at the same time. To our best knowledge, this is the first work to apply GCN in cyber security analysis. Comprehensive experiments over DNS data from TUNET and CERNET2 are conducted to validate the effectiveness and superiority of our proposed methods. The comparison results show that HGDom outperforms state-of-the-art approaches with promising performance. Besides, the system is decided to be deployed in production to assist with network security management for CERNET2.

Li Yijie,Zhai Shang,Chen Mingrui

DOI: https://doi.org/10.48550/arXiv.1903.07889

2019-03-19

Abstract:Distributed Denial of Service (DDOS) attack is one of the most common network attacks. DDoS attacks are becoming more and more diverse, which makes it difficult for some DDoS attack detection methods based on single network flow characteristics to detect various types of DDoS attacks, while the detection methods of multi-feature DDoS attacks have a certain lag due to the complexity of the algorithm. Therefore, it is necessary and urgent to monitor the trend of traffic change and identify DDoS attacks timely and accurately. In this paper, a method of DDoS attack detection based on deep belief network feature extraction and LSTM model is proposed. This method uses deep belief network to extract the features of IP packets, and identifies DDoS attacks based on LSTM model. This scheme is suitable for DDoS attack detection technology. The model can accurately predict the trend of normal network traffic, identify the anomalies caused by DDoS attacks, and apply to solve more detection methods about DDoS attacks in the future.

Cryptography and Security

Love Allen Chijioke Ahakonye,Gabriel Chukwunonso Amaizu,Cosmas Ifeanyi Nwakanma,Jae Min Lee,Dong-Seong Kim

DOI: https://doi.org/10.23919/jcn.2023.000067

2024-03-06

Journal of Communications and Networks

Abstract:The domain name system (DNS) has evolved into an essential component of network communications, as well as a critical component of critical industrial systems (CIS) and Supervisory Control and Data Acquisition (SCADA) network connection. DNS over HTTPS (DoH) encapsulating DNS within hypertext transfer protocol secure (HTTPS) does not eliminate network access exploitation. This paper proposes a hybrid deep learning model for the early classification of encoded network traffic into one of the two classes: DoH and NonDoH. They can be malicious, benign, or zero-day attacks. The proposed scheme incorporates the swiftness of the convolutional neural network (CNN) in extracting useful information and the ease of long short-term memory (LSTM) in learning long-term dependencies. The simulation results showed that the proposed approach accurately classifies the encoded network traffic as DoH or NonDoH and characterizes the traffic as benign, zero-day, or malicious. The proposed robust hybrid deep learning model had high accuracy and precision of 99.28%, recall of 99.75%, and AUC of 0.9975 at a minimal training and testing time of 745s and 0.000324 s, respectively. In addition to outperforming other compared contemporary algorithms and existing techniques, the proposed technique significantly detects all attack types. This study also investigated the impact of the SMOTE technique as a tool for data balancing. To further validate the reliability of the proposed scheme, an industrial control system SCADA (ICS-SCADA) dataset, in addition to two (2) other cyber-security datasets (NSL-KDD and CICDS2017), were evaluated. Mathews correlation coefficient (MCC) was employed to validate the model performance, confirming the applicability of the proposed model in a critical industrial system such as SCADA.

computer science, information systems,telecommunications