Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic Analysis

Mitsuhashi, Rikima; Jin, Yong; Iida, Katsuyoshi; Shinagawa, Takahiro; Takai, Yoshiaki

doi:10.1109/tnsm.2022.3215681

Cited by 16 publications

(4 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, the users may lose some security filtering as the cost of privacy protection with DoH. To solve this problem, we have to develop new security systems using techniques such as machine learning [8].…”

Section: Proposed Methods Protect Protectmentioning

confidence: 99%

A proposal of DoH-based domain name resolution architecture including authoritative DNS servers

Sunahara

Jin

Iida

2022

2022 32nd International Telecommunication Networks and Applications Conference (ITNAC)

Self Cite

View full text Add to dashboard Cite

In addition to cache poisoning attacks, the privacy leakage has become a critical issue in DNS nowadays. Especially, the communication between the DNS full-service resolver and the authoritative DNS servers may go through multiple ISP networks. Thus, if the communication path contains areas with different privacy policies, the security and privacy in DNS domain name resolution cannot be guaranteed. To mitigate cache poisoning attacks and protect the privacy of the Internet users, we propose a novel architecture that encrypts all DNS communications with DoH. In the proposed architecture, in addition to the communication between the end clients and the DNS full-service resolvers, that between the DNS full-service resolvers and the authoritative DNS servers is also covered by DoH. As a result, not only the risk of cache poisoning attacks can be dramatically mitigated on DNS full-service resolver but also the risk of eavesdropping on DNS traffic can be reduced. Moreover, the proposed architecture is the first approach to pure DoH-based domain name resolution including DNS authoritative DNS servers.

show abstract

Section: Proposed Methods Protect Protectmentioning

confidence: 99%

A proposal of DoH-based domain name resolution architecture including authoritative DNS servers

Sunahara

Jin

Iida

2022

2022 32nd International Telecommunication Networks and Applications Conference (ITNAC)

Self Cite

View full text Add to dashboard Cite

show abstract

“…In [ 34 ], authors explored the classification of DNS over HTTPS communication. The majority of linked works make use of various dataset properties.…”

Section: Literature Reviewmentioning

confidence: 99%

A Lightweight Double-Stage Scheme to Identify Malicious DNS over HTTPS Traffic Using a Hybrid Learning Approach

Al‐Haija

Alohaly

Odeh

2023

Sensors

View full text Add to dashboard Cite

The Domain Name System (DNS) protocol essentially translates domain names to IP addresses, enabling browsers to load and utilize Internet resources. Despite its major role, DNS is vulnerable to various security loopholes that attackers have continually abused. Therefore, delivering secure DNS traffic has become challenging since attackers use advanced and fast malicious information-stealing approaches. To overcome DNS vulnerabilities, the DNS over HTTPS (DoH) protocol was introduced to improve the security of the DNS protocol by encrypting the DNS traffic and communicating it over a covert network channel. This paper proposes a lightweight, double-stage scheme to identify malicious DoH traffic using a hybrid learning approach. The system comprises two layers. At the first layer, the traffic is examined using random fine trees (RF) and identified as DoH traffic or non-DoH traffic. At the second layer, the DoH traffic is further investigated using Adaboost trees (ADT) and identified as benign DoH or malicious DoH. Specifically, the proposed system is lightweight since it works with the least number of features (using only six out of thirty-three features) selected using principal component analysis (PCA) and minimizes the number of samples produced using a random under-sampling (RUS) approach. The experiential evaluation reported a high-performance system with a predictive accuracy of 99.4% and 100% and a predictive overhead of 0.83 µs and 2.27 µs for layer one and layer two, respectively. Hence, the reported results are superior and surpass existing models, given that our proposed model uses only 18% of the feature set and 17% of the sample set, distributed in balanced classes.

show abstract

“…Although cryptographic technologies could conceal users' identity information, it was still possible to trace the traces generated by users when accessing different applications by mining the potential features of the traffic. Among these, statistical features, as a commonly used method for representing potential features of traffic through mining, were widely employed in the field of traffic identification [3][4][5][6][7][8][9].…”

Section: Introductionmentioning

confidence: 99%

DarkGuardNet: A deep learning framework for imbalanced dark web traffic identification and application classification

Niu,

Li,

Liu

2024

Preprint

View full text Add to dashboard Cite

The dark web was often utilized for illicit activities, data breaches, and the dissemination of malicious software. Researchers consistently employed various machine learning and deep learning approaches to detect dark web traffic. However, existing studies overlooked the comprehensive capture of multi-scale information in traffic data, resulting in an inability to fully extract features when dealing with complex structural data, especially in datasets with an imbalanced number of samples. To address this problem, our paper proposed DarkGuardNet for the recognition of dark web traffic and application type classification. Specifically, we conducted dark web traffic analysis based on sessions and designed a Spatio-temporal Feature Fusion (STFF) module to capture multi-scale feature correlations. This module extended the receptive field to deepen the understanding of complex data, allowing for the precise extraction of spatiotemporal features in imbalanced samples. In addition, we used Multi-Head Self-Attention (MHSA) to mine potential relationships between statistical features of dark web traffic, enabling the model to focus on key features of categories with small sample sizes. Finally, we conducted experiments on a new imbalanced dark web traffic dataset, formed by merging ISCXVPN and ISCXTor. The results indicated that the method achieved an accuracy of 0.999 in dark web traffic recognition and an accuracy of 0.986 in application type classification, surpassing other advanced methods. The Data is available at:https://github.com/niu954325618/Darknet2024/tree/main.

show abstract

Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic Analysis

Cited by 16 publications

References 23 publications

A proposal of DoH-based domain name resolution architecture including authoritative DNS servers

A proposal of DoH-based domain name resolution architecture including authoritative DNS servers

A Lightweight Double-Stage Scheme to Identify Malicious DNS over HTTPS Traffic Using a Hybrid Learning Approach

DarkGuardNet: A deep learning framework for imbalanced dark web traffic identification and application classification

Contact Info

Product

Resources

About