Network Flow Entropy for Identifying Malicious Behaviours in DNS Tunnels

Khodjaeva, Yulduz; Zincir-Heywood, A. Nur

doi:10.1145/3465481.3470089

Cited by 10 publications

(4 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Table VII and Table VIII compare the performances of the proposed system and those of the previous studies [28], [31] 0.992 0.99 1.0 0.99 [29], [30], [31], [32], [33]. These tables show the results of cross-validation and hold-out, respectively.…”

Section: E Well-known Malicious Dns Tunnel Tool Recognitionmentioning

confidence: 88%

“…In their experiments, the former filtering obtained an F-score of 99.3%, and the latter detection resulted in an F-score of 99.9%. Y. Khodjaeva et al [29] used statistical features extracted from traffic flows by several tools, such as Argus, DoHlyzer, and Tranalyzer2. They obtained an F-score of 93.5% by Random Forest in classifying DoH traffic as normal and malicious.…”

Section: B Doh Traffic Classificationmentioning

confidence: 99%

See 1 more Smart Citation

Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic Analysis

Mitsuhashi

Jin

Iida

et al. 2023

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

DNS over HTTPS (DoH) protocol can mitigate the risk of privacy breaches but makes it difficult to control network security services due to the DNS traffic encryption. However, since malicious DNS tunnel tools for the DoH protocol pose network security threats, network administrators need to recognize malicious communications even after the DNS traffic encryption has become widespread. In this paper, we propose a malicious DNS tunnel tool recognition system using persistent DoH traffic analysis based on machine learning. The proposed system can accomplish continuous knowledge updates for emerging malicious DNS tunnel tools on the machine learning model. The system is based on hierarchical machine learning classification and focuses on DoH traffic analysis. The evaluation results confirm that the proposed system is able to recognize the six malicious DNS tunnel tools in total, not only well-known ones, including dns2tcp, dnscat2, and iodine, but also the emerging ones such as dnstt, tcp-over-dns, and tuns with 98.02% classification accuracy.

show abstract

Section: E Well-known Malicious Dns Tunnel Tool Recognitionmentioning

confidence: 88%

Section: B Doh Traffic Classificationmentioning

confidence: 99%

Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic Analysis

Mitsuhashi

Jin

Iida

et al. 2023

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

“…In this paper, we extend our previous research on detecting tunnelling and exfiltration behaviours in DoH traffic via optimization of the network traffic flow inspection-based approach, where the statistical flow features are augmented with the entropy of the network flow [34]. This augmented feature set is then used with ML classifiers to detect the malicious DNS tunnels.…”

Section: Methodsmentioning

confidence: 94%

“…Taking all these factors into account, researchers have started to explore host-based and network-based monitoring for DoH protocol analysis [30]. To this end, some recent works have evaluated the use of Machine Learning (ML), entropy, and network packet distribution-based approaches for analyzing tunnelling and exfiltration attacks over DNS [21,34,43,49]. While some of these works focus on using DNS-specific attributes, others use traffic or malware-specific attributes.…”

Section: Introductionmentioning

confidence: 99%

Can We Detect Malicious Behaviours in Encrypted DNS Tunnels Using Network Flow Entropy?

Khodjaeva

Zincir-Heywood

Zincir

2022

JCSANDM

Self Cite

View full text Add to dashboard Cite

This paper explores the concept of entropy of a flow to augment flow statistical features for encrypted DNS tunnelling detection, specifically DNS over HTTPS traffic. To achieve this, the use of flow exporters, namely Argus, DoHlyzer and Tranalyzer2 are studied. Statistical flow features automatically generated by the aforementioned tools are then augmented with the flow entropy. In this work, flow entropy is calculated using three different techniques: (i) entropy over all packets of a flow, (ii) entropy over the first 96 bytes of a flow, and (iii) entropy over the first n-packets of a flow. These features are provided as input to ML classifiers to detect malicious behaviours over four publicly available datasets. This model is optimized using TPOT-AutoML system, where the Random Forest classifier provided the best performance achieving an average F-measure of 98% over all testing datasets employed.

show abstract