Browse > Article
http://dx.doi.org/10.4218/etrij.2019-0299

Refined identification of hybrid traffic in DNS tunnels based on regression analysis  

Bai, Huiwen (School of Automation, Nanjing University of Science and Technology)
Liu, Guangjie (School of Automation, Nanjing University of Science and Technology)
Zhai, Jiangtao (School of Electronic and Information Engineering, Nanjing University of Information Science and Technology)
Liu, Weiwei (School of Automation, Nanjing University of Science and Technology)
Ji, Xiaopeng (School of Electronic and Information Engineering, Nanjing University of Information Science and Technology)
Yang, Luhui (School of Automation, Nanjing University of Science and Technology)
Dai, Yuewei (School of Electronic and Information Engineering, Nanjing University of Information Science and Technology)
Publication Information
ETRI Journal / v.43, no.1, 2021 , pp. 40-52 More about this Journal
Abstract
DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal-spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.
Keywords
DNS tunnels; ratios of two mixed protocols; regression model; temporal-spatial analysis;
Citations & Related Records
연도 인용수 순위
  • Reference
1 M. Kara et al., Detection of malicious payload distribution channels in DNS, in Proc. IEEE Int. Conf. Commun. (Sydney, Australia), 2014, pp. 853-858.
2 L. Buczak et al., Detection of tunnels in PCAP data by random forests, in Proc. Annu. Cyber Inf. Security Res. Conf. (Oak Ridge, TN, USA), 2016, p. 16:1-4.
3 M. Aiello, A. Merlo, and G. Papaleo, Performance assessment and analysis of DNS tunneling tools, Logic J. IGPL, 21 (2013), 592-602.   DOI
4 M. Aiello, M. Mongelli, and G. Papaleo, Basic classifiers for DNS tunneling detection, in Proc. IEEE Symp. Comput. Commun. (Split, Croatia), 2013, pp. 880-885.
5 M. Aiello, M. Mongelli, and G. Papaleo, Supervised learning approaches with majority voting for DNS tunneling detection, in Proc. Int. Joint Conf. SOCO '14-CISIS'14-ICEUTE'14 (Bilbao, Spain), 2014, pp. 463-472.
6 M. Aiello, M. Mongelli, and G. Papaleo, DNS tunneling detection through statistical fingerprints of protocol messages and machine learning, Int. J. Commun. Syst. 28 (2015), 1987-2002.   DOI
7 J. Liu et al., Detecting DNS tunnel through binary-classification based on behavior features, in Proc. IEEE Trustcom/BigDataSE/ICESS (Sydney, Australia), 2017, pp. 339-346.
8 J. J. Davis and E. Foo, Automated feature engineering for HTTP tunnel detection, Comput. Security, 59 (2016), 166-185.   DOI
9 I. Homem and P. Papapetrou, Harnessing predictive models for assisting network forensic investigations of DNS tunnels, in Proc. Annu. ADFSL Conf. Digital Forensics, Security Law (Daytona Beach, FL, USA), 2017, pp. 79-93.
10 A. Almusawi and H. Amintoosi, DNS tunneling detection method based on multilabel support vector machine, Security Commun. Netw. 2018 (2018), pp. 1-9. 6137098   DOI
11 M. Dusi et al., Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting, Comput. Netw. 53 (2009), 81-97.   DOI
12 Y. He, Y. Zhu, and W. Lin, HTTP tunnel Trojan detection model based on deep learning, J. Phys.: Conf. Series 1187 (2019), 1-11.
13 M. Dusi, F. Gringoli, and L. Salgarelli, A preliminary look at the privacy of SSH tunnels, in Proc. Int. Conf. Comput. Commun. Netw. (Thomas, VI, USA), 2008, pp. 1-7.
14 D. Raman et al., DNS tunneling for network penetration, in Proc. Int. Conf. Inf. Security Cryptology (Seoul, Rep. of Korea), 2012, pp. 65-77.
15 M. Zhang et al., State of the art in traffic classification: A research review, in Proc. PAM Student Workshop (Seoul, Rep. of Korea), 2009, 3-4.
16 J. Dietrich et al., On botnets that use DNS for command and control, in Proc. Eur. Conf. Comput. Netw. Defense (Gothenburg, Sweden), 2012, pp. 9-16.
17 I. Valenzuela, Game changer: Identifying and defending against data exfiltration attempts, in Proc. SANS Cyber Defense Summit (Nashville, TN, USA), 2015.
18 K. Born and D. Gustafson, Detecting DNS tunnels using character frequency analysis, 2010, arXiv preprint arXiv: 1004.4358.
19 K. Born and D. Gustafson, Detecting DNS tunnels through n-gram visualization and quantitative analysis, 2010, Ngviz: arXiv preprint arXiv: 1004.4359.
20 C. Qi et al., A bigram based real time DNS tunnel detection approach, Procedia Comput. Sci. 17 (2013), 852-860.   DOI
21 W. Ellens et al., Flow-based detection of DNS tunnels, in Proc. Int. Conf. Autonomous Infrastructure (Barcelona, Spain), 2013, pp. 124-135.
22 T. Cejka, Z. Rosa, and H. Kubatova, Stream-wise detection of surreptitious traffic over DNS, in Proc. IEEE Int. Workshop Comput. Aided Modeling Design Commun. Links Netw. (Athens, Greece), 2014, pp. 300-304.
23 I. Homem, P. Papapetrou, and S. Dosis, Entropy-based prediction of network protocols in the forensic analysis of DNS tunnels, 2017, arXiv preprintarXiv: 1709.06363.