Detection of Application-Layer Tunnels with Rules and Machine Learning

Lin, Huaqing; Liu, Gao; Yan, Zheng

doi:10.1007/978-3-030-24907-6_33

Cited by 11 publications

(4 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Specifically, it is a process to let computer systems or machines see, know, learn and predict the world like a human being. "Machine learning is the study of making machines acquire new knowledge, new skills, and reorganize existing knowledge" [70,[72][73][74]. At the beginning of the birth of machine learning, people performed researches to let a machine study, gain skills and build its own knowledge world automatically.…”

Section: Machine Learningmentioning

confidence: 99%

A survey on machine learning for data fusion

et al. 2020

Self Cite

View full text Add to dashboard Cite

Section: Machine Learningmentioning

confidence: 99%

A survey on machine learning for data fusion

et al. 2020

Self Cite

View full text Add to dashboard Cite

“…In the detection method based on statistical behavior, [18] counted 12 behavioral characteristics of covert tunnels by analyzing data characteristic information such as packet size, tunnel traffic type, and fixed format of data, and established an SVM machine learning model to detect covert tunnels. In [19], authors established an information entropy-based detection model by calculating the confusion level of the data portion of ICMP.…”

Section: Preliminariesmentioning

confidence: 99%

“…Some commercial software constructs feature databases by directly querying the feature signature of malware [6]. In [18], the feature databases were constructed by directly cutting words. In our paper, we found that ICMP covert tunnel traffic has obvious and specific attack intentions in the data part, such as SHELL_ATTACKS, ACCESS_SENSITIVE_DIRS, etc.…”

Section: Feature Database Constructionmentioning

confidence: 99%

ICMPTend: Internet Control Message Protocol Covert Tunnel Attack Intent Detector

Tu¹,

Yin²,

Zhang³

et al. 2022

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

The Internet Control Message Protocol (ICMP) covert tunnel refers to a network attack that encapsulates malicious data in the data part of the ICMP protocol for transmission. Its concealment is stronger and it is not easy to be discovered. Most detection methods are detecting the existence of channels instead of clarifying specific attack intentions. In this paper, we propose an ICMP covert tunnel attack intent detection framework ICMPTend, which includes five steps: data collection, feature dictionary construction, data preprocessing, model construction, and attack intent prediction. ICMPTend can detect a variety of attack intentions, such as shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attacks. We extract features from five types of attack intent found in ICMP channels. We build a multi-dimensional dictionary of malicious features, including shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attack keywords. For the high-dimensional and independent characteristics of ICMP traffic, we use a support vector machine (SVM) as a multi-class classifier. The experimental results show that the average accuracy of ICMPTend is 92%, training ICMPTend only takes 55 s, and the prediction time is only 2 s, which can effectively identify the attack intention of ICMP.

show abstract

“…Latest techniques include ML based techniques for filtering anomalous domain names. For example, in (Lin, 2019), they combine both techniques to enhace detection. However, DGA techniques keep evolving, creating more sophisticated DGAs, such as the dictionary-based ones.…”

Section: Motivation and Contributionsmentioning

confidence: 99%

Siamese Neural Network and Machine Learning for DGA Classification

Segurola-Gil

Egüés²,

Zola³

et al. 2022

eccws

View full text Add to dashboard Cite

Domain Generation Algorithms (DGA) are systems used to create immediate multiple and varying domain names. Such “artificial” domains can be then used for siting command and control servers which in turn oversee recruiting/infecting devices, and finally turning them into new resources to be exploited. In this sense, identifying DGA domain names can be crucial, to avoid cyberattacks like Phishing, Spam sending, Bitcoin mining, and many other. Usually, domain names generated by DGAs, are comprised by illegible character strings, but new “intelligent” DGAs tend to generate names using combination of words in dictionaries making its detection a challenging task. For this reason, in this work, we propose to address this problem using a combination of Machine Learning algorithms for improving the classification of DGAs domains. In particular, we propose to combine Siamese Neural Networks and traditional supervised Machine Learning algorithms in order to expand the input domain into separable n-dimensional data points and then achieve the domain classification. The proposed approach can be separated into 3 phases. In a first phase, domain names are encoded, by a one-hot encoder and a variation of this, named probabilistic one-hot encoder, which are implemented separately. Then, in the second phase, Long Short-Term Memory and Convolutional Siamese embedders are tested and compared. In particular, the first one is combined with the one-hot, while the Convolution algorithm is applied with the probabilistic one-hot encoded data. In the final step, five Machine Learning algorithms are tested using the two ways embedded data. Both embedder approaches reach very high results in terms of F1-score and Accuracy (about 91%) depending on the implemented classifier. The promising results obtained by the application of the proposed method shows that it is possible to perform DGA domain classification uniquely over the domain names, without considering external information such as DNS packets features.

show abstract

Detection of Application-Layer Tunnels with Rules and Machine Learning

Cited by 11 publications

References 19 publications

A survey on machine learning for data fusion

A survey on machine learning for data fusion

ICMPTend: Internet Control Message Protocol Covert Tunnel Attack Intent Detector

Siamese Neural Network and Machine Learning for DGA Classification

Contact Info

Product

Resources

About