Application Behavior Identification in DNS Tunnels Based on Spatial-Temporal Information

Due to the capability of passing through heavily censored networks or gateway equipped with the traffic-monitoring module, DNS tunnel has been the dominant covert communication technique for command and control between the victim and the attacker in network attack events. Although the discovery of DNS tunnel has been intensively studied, the internal application behavior identification for DNS tunnels still remains a challenging problem. The fine-gained identification can help to reveal more behavior information wrapped in DNS tunnels. In this study, we investigate the spatial-temporal information from the raw packets to identify the internal application behaviors in DNS tunnels. Multi-dimensional features on packet length and timing for DNS tunnels with different internal application behaviors are incorporated with a machine-learning algorithm to identify the internal application behaviors in DNS tunnels. We consider 4 common types of application behaviors in our research, including browsing webpages, emailing, downloading data, and controlling the remote servers. The experimental results show that the proposed scheme can achieve higher identification accuracy with a much lower packet consuming rate when compared with the state-of-the-art internal protocol identification scheme. The experiment results depict that our proposed scheme is better in terms of F-score, which can reach 99% with only 100 packets.

[1]  Lei Wang,et al.  Global and Local Structure Preservation for Feature Selection , 2014, IEEE Transactions on Neural Networks and Learning Systems.

[2]  Maurizio Mongelli,et al.  DNS tunneling detection through statistical fingerprints of protocol messages and machine learning , 2015, Int. J. Commun. Syst..

[3]  Pat Langley,et al.  Average-Case Analysis of a Nearest Neighbor Algorithm , 1993, IJCAI.

[4]  Renata Teixeira,et al.  Early Recognition of Encrypted Applications , 2007, PAM.

[5]  Francesca Odone,et al.  Feature selection for high-dimensional data , 2009, Comput. Manag. Sci..

[6]  Sudip Saha,et al.  DNS for Massive-Scale Command and Control , 2013, IEEE Transactions on Dependable and Secure Computing.

[7]  Haleh Amintoosi,et al.  DNS Tunneling Detection Method Based on Multilabel Support Vector Machine , 2018, Secur. Commun. Networks.

[8]  Ernest Foo,et al.  Automated feature engineering for HTTP tunnel detection , 2016, Comput. Secur..

[9]  Panagiotis Papapetrou,et al.  Harnessing Predictive Models for Assisting Network Forensic Investigations of DNS Tunnels , 2017 .

[10]  Li Yang,et al.  A DNS Tunneling Detection Method Based on Deep Learning Models to Prevent Data Exfiltration , 2019, NSS.

[11]  Kenton Born,et al.  Detecting DNS Tunnels Using Character Frequency Analysis , 2010, ArXiv.

[12]  Zhang Tao,et al.  Detecting DNS Tunnels Using Session Behavior and Random Forest Method , 2020, 2020 IEEE Fifth International Conference on Data Science in Cyberspace (DSC).

[13]  Tao Lin,et al.  A Byte-level CNN Method to Detect DNS Tunnels , 2019, 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC).

[14]  Hahn-Ming Lee,et al.  Detection of DNS Tunneling by Feature-Free Mechanism , 2018, 2018 IEEE Conference on Dependable and Secure Computing (DSC).

[15]  Domenico Ciuonzo,et al.  A Big Data-Enabled Hierarchical Framework for Traffic Classification , 2020, IEEE Transactions on Network Science and Engineering.

[16]  Panagiotis Papapetrou,et al.  Entropy-based Prediction of Network Protocols in the Forensic Analysis of DNS Tunnels , 2017, ArXiv.

[17]  Riyad Alshammari,et al.  Can encrypted traffic be identified without port numbers, IP addresses and payload inspection? , 2011, Comput. Networks.

[18]  Michel Mandjes,et al.  Flow-Based Detection of DNS Tunnels , 2013, AIMS.

[19]  Felix C. Freiling,et al.  On Botnets That Use DNS for Command and Control , 2011, 2011 Seventh European Conference on Computer Network Defense.

[20]  David J. Parish,et al.  A statistical framework for identification of tunnelled applications using machine learning , 2015, Int. Arab J. Inf. Technol..

[21]  Anna L. Buczak,et al.  Detection of Tunnels in PCAP Data by Random Forests , 2016, CISRC.

[22]  Nur Zincir-Heywood,et al.  Exploring Tunneling Behaviours in Malicious Domains With Self-Organizing Maps , 2020, 2020 IEEE Symposium Series on Computational Intelligence (SSCI).

[23]  Domenico Ciuonzo,et al.  A Dive into the Dark Web: Hierarchical Traffic Classification of Anonymity Tools , 2020, IEEE Transactions on Network Science and Engineering.

[24]  Giuseppe Aceto,et al.  Anonymity Services Tor, I2P, JonDonym: Classifying in the Dark (Web) , 2020, IEEE Transactions on Dependable and Secure Computing.

[25]  Huan Liu,et al.  Consistency-based search in feature selection , 2003, Artif. Intell..

[26]  Lalu Banoth,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2017 .

[27]  Kenton Born,et al.  NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis , 2010, CSIIRW '10.

[28]  Maurizio Dusi,et al.  Detection of Encrypted Tunnels Across Network Boundaries , 2008, 2008 IEEE International Conference on Communications.

[29]  Zheng Wang Combating Malicious DNS Tunnel , 2016, ArXiv.

[30]  Peipeng Liu,et al.  A Bigram based Real Time DNS Tunnel Detection Approach , 2013, ITQM.

[31]  Tao Yin,et al.  TDAE: Autoencoder-based Automatic Feature Learning Method for the Detection of DNS tunnel , 2020, ICC 2020 - 2020 IEEE International Conference on Communications (ICC).

[32]  Vijay Sivaraman,et al.  Real-Time Detection of DNS Exfiltration and Tunneling from Enterprise Networks , 2019, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[33]  M. Köppen,et al.  The Curse of Dimensionality , 2010 .

[34]  Meng Luo,et al.  Towards Comprehensive Detection of DNS Tunnels , 2020, 2020 IEEE Symposium on Computers and Communications (ISCC).

[35]  Jun Xiao,et al.  Detecting DNS Tunnel through Binary-Classification Based on Behavior Features , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.

[36]  Madhusudana V. S. Shashanka,et al.  Detection of Exfiltration and Tunneling over DNS , 2017, 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA).

[37]  Xiangyang Luo,et al.  Big Data Analytics for Information Security , 2018, Secur. Commun. Networks.

[38]  Richard Preston DNS Tunneling Detection with Supervised Learning , 2019, 2019 IEEE International Symposium on Technologies for Homeland Security (HST).