Detecting DNS Tunnels Using Character Frequency Analysis

High-bandwidth covert channels pose significant risks to sensitive and proprietary information inside company networks. Domain Name System (DNS) tunnels provide a means to covertly infiltrate and exfiltrate large amounts of information passed network boundaries. This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.

[1]  Paul Barford,et al.  Context-aware clustering of DNS query traffic , 2008, IMC '08.

[2]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[3]  A. Orebaugh An Instant Messaging Intrusion Detection System Framework: Using character frequency analysis for authorship identification and validation , 2006, Proceedings 40th Annual 2006 International Carnahan Conference on Security Technology.

[4]  Claude E. Shannon,et al.  Prediction and Entropy of Printed English , 1951 .

[5]  Maurizio Dusi,et al.  A Preliminary Look at the Privacy of SSH Tunnels , 2008, 2008 Proceedings of 17th International Conference on Computer Communications and Networks.

[6]  Maurizio Dusi,et al.  Detection of Encrypted Tunnels Across Network Boundaries , 2008, 2008 IEEE International Conference on Communications.

[7]  Kevin Borders,et al.  Web tap: detecting covert web traffic , 2004, CCS '04.

[8]  Maurizio Dusi,et al.  Detecting HTTP Tunnels with Statistical Mechanisms , 2007, 2007 IEEE International Conference on Communications.

[9]  Bruce Gooch,et al.  Visualizing DNS traffic , 2006, VizSEC '06.