2021
DOI: 10.1109/tnsm.2021.3078428
|View full text |Cite
|
Sign up to set email alerts
|

DNS Tunneling Detection by Cache-Property-Aware Features

Abstract: Many enterprises are under threat of targeted attacks aiming at data exfiltration. To launch such attacks, in recent years, attackers with their malware have exploited a covert channel that abuses the domain name system (DNS) named DNS tunneling. Although several research efforts have been made to detect DNS tunneling, the existing methods rely on features that advanced tunneling techniques can easily obfuscate by mimicking legitimate DNS clients. Such obfuscation would result in data leakage. To tackle this p… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
7
0
3

Year Published

2021
2021
2024
2024

Publication Types

Select...
6
2

Relationship

0
8

Authors

Journals

citations
Cited by 28 publications
(10 citation statements)
references
References 25 publications
0
7
0
3
Order By: Relevance
“…The aggregation of alerts is a crucial aspect of attack prevention [40]- [42]. One singular incident, such as a gratuitous ARP or a single scan, could hint that an attack is in progress if it belongs to a sequence.…”
Section: Discussionmentioning
confidence: 99%
“…The aggregation of alerts is a crucial aspect of attack prevention [40]- [42]. One singular incident, such as a gratuitous ARP or a single scan, could hint that an attack is in progress if it belongs to a sequence.…”
Section: Discussionmentioning
confidence: 99%
“…Also, they differ from DNS redirection, which changes response records for the sake of advertisement [24,41] or censorship [5,25]. Lastly, they are not part of DNS tunneling, which carries ancillary information [19] not related to name resolution.…”
Section: Discussionmentioning
confidence: 99%
“…Wang et al (2021) abordou várias técnicas de detecção de tunelamento DNS entre 2006 e 2020, classificando parâmetros entre pacotes e fluxos DNS, assim como diferenciando os métodos de detecção entre regras, assinaturas e baseados em ML. Bai et al (2021) e Ishikura et al (2021) focaram na combinação eficiente entre seleção e extração de parâmetros identificadores de tunelamento DNS e algoritmos com o maior nível de acurácia possível. Em Chen et al (2021), houve a definição de duas categorias de parâmetros: pacotes DNS, processados em tempo real e em sessões DNS, que dispensam análise de carga útil dos pacotes, porém com alta complexidade computacional.…”
Section: Trabalhos Relacionadosunclassified
“…Time-to-live TTL: é importante que o tráfego DNS encapsulado tenha o menor TTL possível para que as solicitações ao domínio malicioso não sejam armazenadas em cache no resolvedor local, forçando altas taxas de cache miss (falha em encontrar o subdomínio nos registros do servidor resolvedor), Ishikura et al 2021.…”
Section: Seleção De Parâmetrosunclassified
See 1 more Smart Citation