ETRI Journal

Electronics and Telecommunications Research Institute (한국전자통신연구원)
권호 표지
DOI QR코드

DOI QR Code

Refined identification of hybrid traffic in DNS tunnels based on regression analysis

  • Bai, Huiwen (School of Automation, Nanjing University of Science and Technology) ;
  • Liu, Guangjie (School of Automation, Nanjing University of Science and Technology) ;
  • Zhai, Jiangtao (School of Electronic and Information Engineering, Nanjing University of Information Science and Technology) ;
  • Liu, Weiwei (School of Automation, Nanjing University of Science and Technology) ;
  • Ji, Xiaopeng (School of Electronic and Information Engineering, Nanjing University of Information Science and Technology) ;
  • Yang, Luhui (School of Automation, Nanjing University of Science and Technology) ;
  • Dai, Yuewei (School of Electronic and Information Engineering, Nanjing University of Information Science and Technology)
  • Received : 2019.06.05
  • Accepted : 2020.02.06
  • Published : 2021.02.01
Download PDF
⟨ Previous Next ⟩

Abstract

DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal-spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.

Keywords

Acknowledgement

This work was supported by the National Natural Science Foundation of China under Grant no. U1836104, 61702235, and 61921004, and partly supported by Fundamental Research Funds for the Central Universities under Grant no. 30918012204.

References

  1. M. Dusi et al., Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting, Comput. Netw. 53 (2009), 81-97. https://doi.org/10.1016/j.comnet.2008.09.010
  2. Y. He, Y. Zhu, and W. Lin, HTTP tunnel Trojan detection model based on deep learning, J. Phys.: Conf. Series 1187 (2019), 1-11.
  3. M. Dusi, F. Gringoli, and L. Salgarelli, A preliminary look at the privacy of SSH tunnels, in Proc. Int. Conf. Comput. Commun. Netw. (Thomas, VI, USA), 2008, pp. 1-7.
  4. D. Raman et al., DNS tunneling for network penetration, in Proc. Int. Conf. Inf. Security Cryptology (Seoul, Rep. of Korea), 2012, pp. 65-77.
  5. M. Zhang et al., State of the art in traffic classification: A research review, in Proc. PAM Student Workshop (Seoul, Rep. of Korea), 2009, 3-4.
  6. J. Dietrich et al., On botnets that use DNS for command and control, in Proc. Eur. Conf. Comput. Netw. Defense (Gothenburg, Sweden), 2012, pp. 9-16.
  7. I. Valenzuela, Game changer: Identifying and defending against data exfiltration attempts, in Proc. SANS Cyber Defense Summit (Nashville, TN, USA), 2015.
  8. K. Born and D. Gustafson, Detecting DNS tunnels using character frequency analysis, 2010, arXiv preprint arXiv: 1004.4358.
  9. K. Born and D. Gustafson, Detecting DNS tunnels through n-gram visualization and quantitative analysis, 2010, Ngviz: arXiv preprint arXiv: 1004.4359.
  10. C. Qi et al., A bigram based real time DNS tunnel detection approach, Procedia Comput. Sci. 17 (2013), 852-860. https://doi.org/10.1016/j.procs.2013.05.109
  11. W. Ellens et al., Flow-based detection of DNS tunnels, in Proc. Int. Conf. Autonomous Infrastructure (Barcelona, Spain), 2013, pp. 124-135.
  12. T. Cejka, Z. Rosa, and H. Kubatova, Stream-wise detection of surreptitious traffic over DNS, in Proc. IEEE Int. Workshop Comput. Aided Modeling Design Commun. Links Netw. (Athens, Greece), 2014, pp. 300-304.
  13. I. Homem, P. Papapetrou, and S. Dosis, Entropy-based prediction of network protocols in the forensic analysis of DNS tunnels, 2017, arXiv preprintarXiv: 1709.06363.
  14. M. Kara et al., Detection of malicious payload distribution channels in DNS, in Proc. IEEE Int. Conf. Commun. (Sydney, Australia), 2014, pp. 853-858.
  15. L. Buczak et al., Detection of tunnels in PCAP data by random forests, in Proc. Annu. Cyber Inf. Security Res. Conf. (Oak Ridge, TN, USA), 2016, p. 16:1-4.
  16. M. Aiello, A. Merlo, and G. Papaleo, Performance assessment and analysis of DNS tunneling tools, Logic J. IGPL, 21 (2013), 592-602. https://doi.org/10.1093/jigpal/jzs029
  17. M. Aiello, M. Mongelli, and G. Papaleo, Basic classifiers for DNS tunneling detection, in Proc. IEEE Symp. Comput. Commun. (Split, Croatia), 2013, pp. 880-885.
  18. M. Aiello, M. Mongelli, and G. Papaleo, Supervised learning approaches with majority voting for DNS tunneling detection, in Proc. Int. Joint Conf. SOCO '14-CISIS'14-ICEUTE'14 (Bilbao, Spain), 2014, pp. 463-472.
  19. M. Aiello, M. Mongelli, and G. Papaleo, DNS tunneling detection through statistical fingerprints of protocol messages and machine learning, Int. J. Commun. Syst. 28 (2015), 1987-2002. https://doi.org/10.1002/dac.2836
  20. J. Liu et al., Detecting DNS tunnel through binary-classification based on behavior features, in Proc. IEEE Trustcom/BigDataSE/ICESS (Sydney, Australia), 2017, pp. 339-346.
  21. J. J. Davis and E. Foo, Automated feature engineering for HTTP tunnel detection, Comput. Security, 59 (2016), 166-185. https://doi.org/10.1016/j.cose.2016.01.006
  22. I. Homem and P. Papapetrou, Harnessing predictive models for assisting network forensic investigations of DNS tunnels, in Proc. Annu. ADFSL Conf. Digital Forensics, Security Law (Daytona Beach, FL, USA), 2017, pp. 79-93.
  23. A. Almusawi and H. Amintoosi, DNS tunneling detection method based on multilabel support vector machine, Security Commun. Netw. 2018 (2018), pp. 1-9. 6137098 https://doi.org/10.1155/2018/6137098