Detection of Exfiltration and Tunneling over DNS

This paper proposes a method to detect two primary means of using the Domain Name System (DNS) for malicious purposes. We develop machine learning models to detect information exfiltration from compromised machines and the establishment of command & control (C&C) servers via tunneling. We validate our approach by experiments where we successfully detect a malware used in several recent Advanced Persistent Threat (APT) attacks [1]. The novelty of our method is its robustness, simplicity, scalability, and ease of deployment in a production environment.

[1]  Vern Paxson,et al.  Practical Comprehensive Bounds on Surreptitious Communication over DNS , 2013, USENIX Security Symposium.

[2]  Felix C. Freiling,et al.  On Botnets That Use DNS for Command and Control , 2011, 2011 Seventh European Conference on Computer Network Defense.

[3]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[4]  Tyrell William Fawcett EXFILD: A TOOL FOR THE DETECTION OF DATA EXFILTRATION USING ENTROPY AND ENCRYPTION CHARACTERISTICS OF NETWORK TRAFFIC , 2010 .

[5]  Gilles Louppe,et al.  Independent consultant , 2013 .

[6]  Chris Fry,et al.  Security monitoring - proven methods for incident detection on enterprise networks , 2009 .

[7]  Patrick Butler,et al.  Quantitatively Analyzing Stealthy Communication Channels , 2011, ACNS.

[8]  Amr M. Youssef,et al.  Characterization of Covert Channels in DNS , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).

[9]  Anestis Karasaridis,et al.  NIS04-2: Detection of DNS Anomalies using Flow Data Analysis , 2006, IEEE Globecom 2006.

[10]  Yizheng Chen,et al.  DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[11]  Anthony Keane,et al.  Detection of DNS Based Covert Channels , 2015 .

[12]  Antonios Atlasis,et al.  Detecting DNS Tunneling , 2019 .