A DNS-based Data Exfiltration Traffic Detection Method for Unknown Samples

Ruiling, Gan; Diao, Jiawen; Cui, Xiang; Shouyou, Song

doi:10.1109/dsc55868.2022.00032

Cited by 2 publications

(1 citation statement)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Supervised learning methods. Several methods that rely on labeled data for training [17], [33], [34], [35] have been proposed. This is reasonable for identifying a predetermined set of known DNS exfiltration tools, but as shown in [18], the absence of high-quality publicly-available datasets prevents these methods from identifying unfamiliar DNS exfiltration malware.…”

Section: Offline Detection Methods By Designmentioning

confidence: 99%

Information Based Heavy Hitters for Real-Time DNS Data Exfiltration Detection

Ozery,

Nadler,

Shabtai

2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Data exfiltration over the DNS protocol and its detection have been researched extensively in recent years. Prior studies focused on offline detection methods, which although capable of detecting attacks, allow a large amount of data to be exfiltrated before the attack is detected and dealt with. In this paper, we introduce Information-based Heavy Hitters (ibHH), a real-time detection method which is based on live estimations of the amount of information transmitted to registered domains. ibHH uses constant-size memory and supports constant-time queries, which makes it suitable for deployment on recursive DNS servers to further reduce detection and response time. In our evaluation, we compared the performance of the proposed method to that of leading state-of-the-art DNS exfiltration detection methods on real-world datasets comprising over 250 billion DNS queries. The evaluation demonstrates ibHH's ability to successfully detect exfiltration rates as slow as 0.7B/s, with a false positive alert rate of less than 0.004, with significantly lower resource consumption compared to other methods.

show abstract

Section: Offline Detection Methods By Designmentioning

confidence: 99%

Information Based Heavy Hitters for Real-Time DNS Data Exfiltration Detection

Ozery,

Nadler,

Shabtai

2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

APT Attack Detection Scheme Based on CK Sketch and DNS Traffic

Xue

Chi

et al. 2023

Sensors

View full text Add to dashboard Cite

In recent years, Advanced Persistent Threat (APT) attacks against sensors have emerged as a prominent security concern. Due to the low level of protection provided by sensors, APT attack organizations are able to develop intrusion schemes that allow them to infiltrate, attack, lurk, spread, and steal information from the target over an extended period of time. Through extensive research on the APT attack process and current defense mechanisms, it has been found that analyzing Domain Name Server (DNS) traffic in the communication control phase is an effective way of detecting APT attacks. However, analyzing APT attacks based on traffic usually involves the detection of a vast amount of DNS traffic, and current data preprocessing methods do not scale down data effectively, leading to low detection efficiency. In previous work, most efforts have been focused on calculating the features of request messages or corresponding messages without considering the association between request messages and corresponding messages. To address these issues, we propose a sketch-based APT attack traffic detection scheme. The scheme leverages the sketch structure to count and compress network traffic, improving the efficiency of APT detection. Our work also analyzes the limitations of traditional sketches in network traffic and proposes an improved sketch scheme. In addition, we propose several effective features for detecting APT attacks. We validate and evaluate our solution using 1,088,280 DNS traffic from a lab network and APT suspicious traffic from netresec and contagio, using eight machine learning models. The experimental results show that for the ExtraTrees model, our solution has a processing time of 0.0638 s and an accuracy of 0.97920, reducing the processing time by approximately 50 times and improving detection accuracy by a small margin compared to a dataset without sketch processing.

show abstract

A DNS-based Data Exfiltration Traffic Detection Method for Unknown Samples

Cited by 2 publications

References 12 publications

Information Based Heavy Hitters for Real-Time DNS Data Exfiltration Detection

Information Based Heavy Hitters for Real-Time DNS Data Exfiltration Detection

APT Attack Detection Scheme Based on CK Sketch and DNS Traffic

Contact Info

Product

Resources

About