2014
DOI: 10.1002/dac.2836
|View full text |Cite
|
Sign up to set email alerts
|

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Abstract: The use of covert-channel methods to bypass security policies has increased considerably in the recent years. Malicious users neutralize security restriction by encapsulating protocols like peer-to-peer, chat or http proxy into other allowed protocols like Domain Name Server (DNS) or HTTP. This paper illustrates a machine learning approach to detect one particular covert-channel technique: DNS tunneling.Despite packet inspection may guarantee reliable intrusion detection in this context, it may suffer of scala… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

2
43
0

Year Published

2016
2016
2019
2019

Publication Types

Select...
3
3

Relationship

0
6

Authors

Journals

citations
Cited by 59 publications
(45 citation statements)
references
References 26 publications
2
43
0
Order By: Relevance
“…This paper shares with the literature, , and the other papers mentioned in the previous section concerning SABID, not only the idea of detecting something by using statistical analysis. For instance “looking at simple statistical properties of protocol messages, such as statistics of packet inter‐arrival times and of packets sizes” may be useful to perform monitoring actions. “The key idea is that the information carried by packets at the network layer, such as packet‐size and inter‐arrival time between consecutive packets, are enough to infer the nature of the application protocol that generated those packets.” This sentence, referred in the work of Dusi et al to tunnels, may be literally applied to malware in this paper.…”
Section: Statistical Fingerprint‐based Intrusion Detection System—sf‐idssupporting
confidence: 60%
See 2 more Smart Citations
“…This paper shares with the literature, , and the other papers mentioned in the previous section concerning SABID, not only the idea of detecting something by using statistical analysis. For instance “looking at simple statistical properties of protocol messages, such as statistics of packet inter‐arrival times and of packets sizes” may be useful to perform monitoring actions. “The key idea is that the information carried by packets at the network layer, such as packet‐size and inter‐arrival time between consecutive packets, are enough to infer the nature of the application protocol that generated those packets.” This sentence, referred in the work of Dusi et al to tunnels, may be literally applied to malware in this paper.…”
Section: Statistical Fingerprint‐based Intrusion Detection System—sf‐idssupporting
confidence: 60%
“…As far as statistical analysis based detection, 2 papers are particularly meaningful for the topic of this paper, even if they are not strictly related to malware detection: the works of Dusi et al and Aiello et al Both contributions are aimed at detecting application‐layer tunnels throughout statistical fingerprints. Dusi et al presents a statistical classification mechanism called Tunnel Hunter devoted to recognize a generic application protocol tunneled on top of HTTP or of SSH.…”
Section: State Of the Artmentioning
confidence: 99%
See 1 more Smart Citation
“…Similarly, Aiello et al [8] have proposed a machine learning technique in order to detect the DNS tunneling. The proposed method examines simple statistical features of protocol messages, such as statistics of packets interarrival times and of packets' sizes.…”
Section: Related Workmentioning
confidence: 99%
“…The key characteristic behind the MLT lies in the historical data that should be provided in order to make the machine train and build the statistical model. Several researchers have examined the use of machine learning in terms of detecting DNS tunneling such as [7][8][9]. However, these studies have treated the problem of DNS tunneling as a binary classification where the class label is either legitimate or tunnel.…”
Section: Introductionmentioning
confidence: 99%