[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content
Springer Nature Link
Log in

Improving DNS Data Exfiltration Detection Through Temporal Analysis

  • Conference paper
  • First Online:
Ubiquitous Security (UbiSec 2023)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 2034))

Included in the following conference series:

  • 472 Accesses

Abstract

By leveraging the DNS tunneling technique, malicious actors have the ability to transfer covertly data embedded within a DNS transaction. A DNS tunnel can be used as a Command and Control (C &C) channel for botnet coordination, for data exfiltration, for tunneling another protocol through it, to name a few. To this end, it is imperative to develop DNS exfiltration detection techniques that are capable to mitigate such cybersecurity incidents and decrease the risks that can potentially pose within an infrastructure. In our work, we examine several DNS exfiltration detection techniques, and we compare the most common algorithms and detection features. Furthermore, we propose a temporal analysis enhancement mechanism with the purpose to increase the existing mechanisms’ efficiency. We focus on the detection of DNS exfiltration evidence within the logs of the DNS recursive resolver. Such setup does not require a specialized DNS traffic capturing mechanism, but rather the DNS queries are logged by default. This way, our approach can be used for both real time detection and forensic analysis. The performance of the proposed solution is demonstrated by investigating the DNS traffic generated from common open-source DNS tunneling tools. The results showcase that the temporal analysis can significantly improve the accuracy of the detection ratio of the exfiltration packets.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 59.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 74.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Al-kasassbeh, M., Khairallah, T.: Winning tactics with DNS tunnelling. Netw. Secur. 2019(12), 12–19 (2019)

    Article  Google Scholar 

  2. Alharbi, T., Koutny, M.: Domain name system (DNS) tunnelling detection using structured occurrence nets (SONs). In: Proceedings of the International Workshop on Petri Nets and Software Engineering (PNSE 2019) (2019)

    Google Scholar 

  3. Almusawi, A., Amintoosi, H.: DNS tunneling detection method based on multilabel support vector machine. Secur. Commun. Netw. 2018 (2018)

    Google Scholar 

  4. Anagnostopoulos, M., Kambourakis, G., Konstantinou, E., Gritzalis, S.: DNSSEC vs. DNSCurve: a side-by-side comparison. In: Situational Awareness in Computer Network Defense: Principles, Methods and Applications, pp. 201–220. IGI Global (2012)

    Google Scholar 

  5. Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis. In: Proceedings of the 9th Annual Security Conference (2010)

    Google Scholar 

  6. Bubnov, Y.: DNS tunneling detection using feedforward neural network. Eur. J. Eng. Technol. Res. 3(11), 16–19 (2018)

    Google Scholar 

  7. Buczak, A.L., Hanke, P.A., Cancro, G.J., Toma, M.K., Watkins, L.A., Chavis, J.S.: Detection of tunnels in PCAP data by random forests. In: Proceedings of the 11th Annual Cyber and Information Security Research Conference, pp. 1–4 (2016)

    Google Scholar 

  8. Cejka, T., Rosa, Z., Kubatova, H.: Stream-wise detection of surreptitious traffic over DNS. In: 2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), pp. 300–304. IEEE (2014)

    Google Scholar 

  9. Das, A., Shen, M.Y., Shashanka, M., Wang, J.: Detection of exfiltration and tunneling over DNS. In: 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 737–742. IEEE (2017)

    Google Scholar 

  10. Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., van Steen, M.V., Pohlmann, N.: On botnets that use DNS for command and control. In: 2011 Seventh European Conference on Computer Network Defense (EC2ND), pp. 9–16 (2011)

    Google Scholar 

  11. Do, V.T., Engelstad, P., Feng, B., Van Do, T.: Detection of DNS tunneling in mobile networks using machine learning. In: Kim, K., Joukov, N. (eds.) ICISA 2017. LNEE, vol. 424, pp. 221–230. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-4154-9_26

    Chapter  Google Scholar 

  12. Farnham, G., Atlasis, A.: Detecting DNS tunneling. SANS Institute InfoSec Reading Room, vol. 9, pp. 1–32 (2013)

    Google Scholar 

  13. Hind, J.: Catching DNS tunnels with AI. In: Proceedings of DefCon, vol. 17 (2009)

    Google Scholar 

  14. Kambourakis, G., Anagnostopoulos, M., Meng, W., Zhou, P.: Botnets: Architectures, Countermeasures, and Challenges. CRC Press, Boca Raton (2019)

    Book  Google Scholar 

  15. Lai, C.M., Huang, B.C., Huang, S.Y., Mao, C.H., Lee, H.M.: Detection of DNS tunneling by feature-free mechanism. In: 2018 IEEE Conference on Dependable and Secure Computing (DSC), pp. 1–2. IEEE (2018)

    Google Scholar 

  16. Lambion, D., Josten, M., Olumofin, F., De Cock, M.: Malicious DNS tunneling detection in real-traffic DNS data. In: 2020 IEEE International Conference on Big Data (Big Data), pp. 5736–5738. IEEE (2020)

    Google Scholar 

  17. Liang, J., Wang, S., Zhao, S., Chen, S.: FECC: DNS tunnel detection model based on CNN and clustering. Comput. Secur. 128, 103132 (2023)

    Article  Google Scholar 

  18. Liu, C., Dai, L., Cui, W., Lin, T.: A byte-level CNN method to detect DNS tunnels. In: 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC), pp. 1–8. IEEE (2019)

    Google Scholar 

  19. Mullaney, C.: Morto worm sets a (DNS) record. Technical report (2011). http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record

  20. Nadler, A., Aminov, A., Shabtai, A.: Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol. CoRR abs/1709.08395 (2017)

    Google Scholar 

  21. Nuojua, V., David, G., Hämäläainen, T.: DNS tunneling detection techniques - classification, and theoretical comparison in case of a real APT campaign. In: Galinina, O., Andreev, S., Balandin, S., Koucheryavy, Y. (eds.) Internet of Things, Smart Spaces, and Next Generation Networks and Systems. LNCS, vol. 10531, pp. 280–291. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67380-6_26

    Chapter  Google Scholar 

  22. Preston, R.: DNS tunneling detection with supervised learning. In: 2019 IEEE International Symposium on Technologies for Homeland Security (HST), pp. 1–6. IEEE (2019)

    Google Scholar 

  23. Sammour, M., Hussin, B., Othman, M.F.I., Doheir, M., AlShaikhdeeb, B., Talib, M.S.: DNS tunneling: a review on features. Int. J. Eng. Technol. 7(3.20), 1–5 (2018)

    Google Scholar 

  24. Shafieian, S., Smith, D., Zulkernine, M.: Detecting DNS tunneling using ensemble learning. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds.) NSS 2017. LNCS, vol. 10394, pp. 112–127. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64701-2_9

    Chapter  Google Scholar 

  25. Tatang, D., Quinkert, F., Dolecki, N., Holz, T.: A study of newly observed hostnames and DNS tunneling in the wild. arXiv preprint arXiv:1902.08454 (2019)

  26. Tatang, D., Quinkert, F., Holz, T.: Below the radar: spotting DNS tunnels in newly observed hostnames in the wild. In: 2019 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–15. IEEE (2019)

    Google Scholar 

  27. Wang, S., Sun, L., Qin, S., Li, W., Liu, W.: KRTunnel: DNS channel detector for mobile devices. Comput. Secur. 120, 102818 (2022)

    Article  Google Scholar 

  28. Wang, Y., Zhou, A., Liao, S., Zheng, R., Hu, R., Zhang, L.: A comprehensive survey on DNS tunnel detection. Comput. Netw. 197, 108322 (2021)

    Article  Google Scholar 

  29. Xu, K., Butler, P., Saha, S., Yao, D.: DNS for massive-scale command and control. IEEE Trans. Dependable Secure Comput. 10(3), 143–153 (2013)

    Article  Google Scholar 

  30. Yu, B., Smith, L., Threefoot, M., Olumofin, F.G.: Behavior analysis based DNS tunneling detection and classification with big data technologies. In: IoTBD, pp. 284–290 (2016)

    Google Scholar 

  31. Žiža, K., Tadić, P., Vuletić, P.: DNS exfiltration detection in the presence of adversarial attacks and modified exfiltrator behaviour. Int. J. Inf. Secur. 22(6), 1865–1880 (2023)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information Security and Communications Technology, Norwegian University of Science and Technology, 2802, Gjøvik, Norway

    Georgios Spathoulas & Georgios Kavallieratos

  2. Department of Electronic Systems, Aalborg University, 2450, Copenhagen, Denmark

    Marios Anagnostopoulos & Georgios Theodoridis

  3. Department of Computer Science and Biomedical Informatics, University of Thessaly, 35131, Lamia, Greece

    Konstantinos Papageorgiou

Authors
  1. Georgios Spathoulas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marios Anagnostopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Konstantinos Papageorgiou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Georgios Kavallieratos
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Georgios Theodoridis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marios Anagnostopoulos .

Editor information

Editors and Affiliations

  1. School of Computer Science and Cyber Engineering, Guangzhou University, Guangzhou, China

    Guojun Wang

  2. Department of Computer Science, University of Exeter, Exeter, UK

    Haozhe Wang

  3. Department of Computer Science, University of Exeter, Exeter, UK

    Geyong Min

  4. Applied Research Department, British Telecom, London, UK

    Nektarios Georgalas

  5. Department of Applied Mathematics and Computer Science, University of Denmark, Copenhagen, Denmark

    Weizhi Meng

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Spathoulas, G., Anagnostopoulos, M., Papageorgiou, K., Kavallieratos, G., Theodoridis, G. (2024). Improving DNS Data Exfiltration Detection Through Temporal Analysis. In: Wang, G., Wang, H., Min, G., Georgalas, N., Meng, W. (eds) Ubiquitous Security. UbiSec 2023. Communications in Computer and Information Science, vol 2034. Springer, Singapore. https://doi.org/10.1007/978-981-97-1274-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-981-97-1274-8_9

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-97-1273-1

  • Online ISBN: 978-981-97-1274-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics