Flow-Based Detection of DNS Tunnels

Ellens, Wendy; Żuraniewski, Piotr; Sperotto, Anna; Schotanus, H.A.; Mandjes, Michel; Meeuwissen, Erik

doi:10.1007/978-3-642-38998-6_16

Cited by 35 publications

(15 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is necessary to drive the feature selection made by the C4.5 decision tree classifier. Anomaly-based detection may be more adaptive than ML as it simply looks at sudden changes of flows statistics [4,13], while providing good detection rates [12]. A recent approach to DNS tunneling detection exploits anomaly-based analysis of flow statistics [12].…”

Section: Problem Formulationmentioning

confidence: 99%

“…We consider the adoption of the Brodsky-Darkhovsky method as similarly carried out in [12]. We consider the adoption of the Brodsky-Darkhovsky method as similarly carried out in [12].…”

Section: Anomaly-based Detectionmentioning

confidence: 99%

“…Figure 7 shows the time evolution of m q (the average size of the queries) with and without p2p tunneling at mix of 10%. They may be the rationale behind the low detection rates of some cases evidenced in Table II of [12]. A threshold around 93 bytes appears to be applicable to detect the tunnel.…”

Section: Anomaly-based Detectionmentioning

confidence: 99%

“…For the problem under investigation, we resort to the simple statistics of x in order to avoid packet inspection and to guarantee quick feature building. A recent approach to DNS tunneling detection exploits anomaly-based analysis of flow statistics [12]. Anomaly-based detection may be more adaptive than ML as it simply looks at sudden changes of flows statistics [4,13], while providing good detection rates [12].…”

Section: Problem Formulationmentioning

confidence: 99%

See 3 more Smart Citations

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Aiello

Mongelli

Papaleo

2014

Int J Communication

View full text Add to dashboard Cite

The use of covert-channel methods to bypass security policies has increased considerably in the recent years. Malicious users neutralize security restriction by encapsulating protocols like peer-to-peer, chat or http proxy into other allowed protocols like Domain Name Server (DNS) or HTTP. This paper illustrates a machine learning approach to detect one particular covert-channel technique: DNS tunneling.Despite packet inspection may guarantee reliable intrusion detection in this context, it may suffer of scalability performance when a large set of sockets should be monitored in real time. Detecting the presence of DNS intruders by an aggregation-based monitoring is of main interest as it avoids packet inspection, thus preserving privacy and scalability. The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes. The analysis is complicated by two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field).Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and by making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. An insightful analysis of the performance leads to discover a unique intrusion detection tool, applicable in the presence of different tunneled applications. ¶ The n s with an order of magnitude more (n s D 10 4 ) captures features with a higher measurement stability, thus allowing to reach the steady state after K=811 samples.

show abstract

Section: Problem Formulationmentioning

confidence: 99%

“…We consider the adoption of the Brodsky-Darkhovsky method as similarly carried out in [12]. We consider the adoption of the Brodsky-Darkhovsky method as similarly carried out in [12].…”

Section: Anomaly-based Detectionmentioning

confidence: 99%

Section: Anomaly-based Detectionmentioning

confidence: 99%

Section: Problem Formulationmentioning

confidence: 99%

See 2 more Smart Citations

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Aiello

Mongelli

Papaleo

2014

Int J Communication

View full text Add to dashboard Cite

show abstract

“…This is a hard and important computational problem in cyber defence [2]. Specifically, we consider detecting tunnelling [3], [4] in the case where the attacker has obtained legitimate credentials. Because an attacker may be detectable if they do not follow existing connections, they must create tunnels from their entry point to the target.…”

Section: Introductionmentioning

confidence: 99%

Statistical Frameworks for Detecting Tunnelling in Cyber Defence Using Big Data

Lawson¹,

Rubin-Delanchy²,

Heard

et al. 2014

2014 IEEE Joint Intelligence and Security Informatics Conference

View full text Add to dashboard Cite

Abstract-How can we effectively use costly statistical models in the defence of large computer networks? Statistical modelling and machine learning are potentially powerful ways to detect threats as they do not require a human level understanding of the attack. However, they are rarely applied in practice as the computational cost of deploying all but the most simple algorithms can become implausibly large. Here we describe a multilevel approach to statistical modelling in which descriptions of the normal running of the network are built up from the lower netflow level to higher-level sessions and graph-level descriptions. Statistical models at low levels are most capable of detecting the unusual activity that might be a result of malicious software or hackers, but are too costly to run over the whole network. We develop a fast algorithm to identify tunnelling behaviour at the session level using 'telescoping' of sessions containing other sessions, and demonstrate that this allows a statistical model to be run at scale on netflow timings. The method is applied to a toy dataset using an artificial 'attack'.

show abstract

A Two-Stage Method for Fine-Grained DNS Covert Tunnel Behavior Detection

Wang

Xiong

et al. 2022

Science of Cyber Security

View full text Add to dashboard Cite

Flow-Based Detection of DNS Tunnels

Cited by 35 publications

References 12 publications

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Statistical Frameworks for Detecting Tunnelling in Cyber Defence Using Big Data

A Two-Stage Method for Fine-Grained DNS Covert Tunnel Behavior Detection

Contact Info

Product

Resources

About