Detection of Tunnels in PCAP Data by Random Forests

Buczak, Anna L.; Hanke, P.; Cancro, George J.; Toma, Michael K.; Watkins, Lanier; Chavis, Jeffrey S.

doi:10.1145/2897795.2897804

Cited by 41 publications

(24 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More recent work has focused on less specific tunneling tools using supervised learning. For example, Buczak et al [5] also detect tunneling, although not only Iodine. The proposed method uses two different types of PCAP files: with and without tunneling; the tunneling is performed by one of three tools.…”

Section: Related Workmentioning

confidence: 99%

Detection of malicious and low throughput data exfiltration over the DNS protocol

Nadler

Aminov

Shabtai

2019

Computers & Security

View full text Add to dashboard Cite

In the presence of security countermeasures, a malware designed for data exfiltration must use a covert channel to achieve its goal. The Domain Name System (DNS) protocol is a covert channel commonly used by malware developers today for this purpose. Although the detection of covert channels using the DNS has been studied for the past decade, prior research has largely dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection should not be minimized, an entire class of low throughput DNS exfiltration malware has been overlooked.In this study we propose a method for detecting both tunneling and low throughput data exfiltration over the DNS. After determining that previously detected malware used Internet domains that were registered towards a cyber-campaign rather than compromising existing legitimate ones, we focus on detecting and denying requests to these domains as an effective data leakage shutdown. Therefore, our proposed solution handles streaming DNS traffic in order to detect and automatically deny requests to domains that are used for data exchange. The initial data collection phase collects DNS logs per domain in a manner that permits scanning for long periods of time, and is thus capable of dealing with "low and slow" attacks. The second phase extracts features based on the querying behavior of each domain, and in the last phase an anomaly detection model is used to classify domains based on their use for data exfiltration. As for detection, DNS requests to domains that were classified as being used for data exfiltration will be denied indefinitely.Our method was evaluated on a large-scale recursive DNS server's logs with a peaking high of 47 million requests per hour. Within these DNS logs, we injected data exfiltration traffic from DNS tunneling tools as well as two real-life malware: FrameworkPOS, previously used for the theft of 56M credit cards from Home Depot in 2014, and Backdoor.Win32.Denis, which was active in the Cobalt Kitty APT in 2016. Even when restricting our method to an extremely low false positive rate (i.e., one in fifty thousand domains), it detected all of the above. In addition, the logs are used to compare our system with two recently published methods that focus on detecting DNS tunneling in order to stress the novelty of detecting low throughput exfiltration malware.

show abstract

Section: Related Workmentioning

confidence: 99%

Detection of malicious and low throughput data exfiltration over the DNS protocol

Nadler

Aminov

Shabtai

2019

Computers & Security

View full text Add to dashboard Cite

show abstract

“…Using RF algorithm, Buczak et al [22] presented a model for preventing DNS tunneling. The proposed model has utilized the duration and size of the connections in order to initiate the feature space.…”

Section:  Issn: 2088-8708mentioning

confidence: 99%

A hybrid method of genetic algorithm and support vector machine for DNS tunneling detection

Al-Ibraheemi

AL-Ibraheemi²,

Amintoosi

2021

IJECE

View full text Add to dashboard Cite

With the expansion of the business over the internet, corporations nowadays are investing numerous amounts of money in the web applications. However, there are different threats could make the corporations vulnerable for potential attacks. One of these threats is harnessing the domain name protocol for passing harmful information, this kind of threats is known as DNS tunneling. As a result, confidential information would be exposed and violated. Several studies have investigated the machine learning in order to propose a detection approach. In their approaches, authors have used different and numerous types of features such as domain length, number of bytes, content, volume of DNS traffic, number of hostnames per domain, geographic location and domain history. Apparently, there is a vital demand to accommodate feature selection task in order to identify the best features. This paper proposes a hybrid method of genetic algorithm feature selection approach with the support vector machine classifier for the sake of identifying the best features that have the ability to optimize the detection of DNS tunneling. To evaluate the proposed method, a benchmark dataset of DNS tunneling has been used. Results showed that the proposed method has outperformed the conventional SVM by achieving 0.946 of f-measure

show abstract

“…Their work was based on an extensive year‐long analysis of malware datasets, and a near real‐time feed of passive DNS traffic. Anna and others [15] extracted features from the data set that employed a penetration testing effort within a DNS tunnel and trained random forest classifiers to distinguish normal DNS activity from tunneling activity. Aiello and others [16–19] have done extensive research on DNS tunnels.…”

Section: Related Workmentioning

confidence: 99%

Refined identification of hybrid traffic in DNS tunnels based on regression analysis

et al. 2020

View full text Add to dashboard Cite

DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal‐spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.

show abstract

Detection of Tunnels in PCAP Data by Random Forests

Cited by 41 publications

References 7 publications

Detection of malicious and low throughput data exfiltration over the DNS protocol

Detection of malicious and low throughput data exfiltration over the DNS protocol

A hybrid method of genetic algorithm and support vector machine for DNS tunneling detection

Refined identification of hybrid traffic in DNS tunnels based on regression analysis

Contact Info

Product

Resources

About