论文信息 - A Bigram based Real Time DNS Tunnel Detection Approach

A Bigram based Real Time DNS Tunnel Detection Approach

Abstract DNS (Domain Name System) tunnels can provide high-bandwidth covert channels that pose a significant risk to sensitive information inside the company networks. Sensitive data are embedded in DNS query and response packets to exfiltrate and infiltrate the network boundaries. However, traditional Intrusion Detection Systems (IDS) and Firewalls let DNS packets pass without any checking. This paper explores a novel approach to detect in real time whether a DNS packet is in a tunnel by scoring the query domain based on bigram. Experiment shows that the bigrams of domains follow Zipf's law whereas tunnelled traffic is obedient to random distribution. The score mechanism in detecting DNS tunnels is proved to be usable theoretically and is confirmed in the experiment. Our approach can get a high accuracy of 98.74% and low false positive of 1.24%.

[1] Etienne Stalmans,et al. A framework for DNS based detection and mitigation of malware infections on a network , 2011, 2011 Information Security for South Africa.

[2] Yasuo Musashi,et al. Entropy based analysis of DNS query traffic in the campus network , 2007 .

[3] Kwan-Wu Chin,et al. On the viability and performance of DNS tunneling , 2008 .

[4] Steven B. Lipner,et al. Trusted Computer System Evaluation Criteria ( Orange Book ) December , 2001 .

[5] Kenton Born,et al. Detecting DNS Tunnels Using Character Frequency Analysis , 2010, ArXiv.

[6] Maurizio Aiello,et al. A Comparative Performance Evaluation of DNS Tunneling Tools , 2011, CISIS.

[7] Philippe Owezarski,et al. MINETRAC: Mining flows for unsupervised analysis & semi-supervised classification , 2011, 2011 23rd International Teletraffic Congress (ITC).

[8] Chun-Ying Huang,et al. Fast-Flux Bot Detection in Real Time , 2010, RAID.