[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/2897795.2897804acmotherconferencesArticle/Chapter ViewAbstractPublication PagescisrcConference Proceedingsconference-collections
short-paper

Detection of Tunnels in PCAP Data by Random Forests

Published: 05 April 2016 Publication History

Abstract

This paper describes an approach for detecting the presence of domain name system (DNS) tunnels in network traffic. DNS tunneling is a common technique hackers use to establish command and control nodes and to exfiltrate data from networks. To generate the training data sufficient to build models to detect DNS tunneling activity, a penetration testing effort was employed. We extracted features from this data and trained random forest classifiers to distinguish normal DNS activity from tunneling activity. The classifiers successfully detected the presence of tunnels we trained on, and four other types of tunnels that were not a part of the training set.

References

[1]
Virvilis, N. and Gritzalis, D. 2013. The big four -- What we did wrong in advanced persistent threat detection? 8th Int. Conf. on Availability, Reliability and Security (ARES). 248--254.
[2]
Lumension. Redefining-Defense-in-Depth. Accessed 11 Jan 2016. https://www.lumension.com/Media_Files/Documents/Marketing---Sales/Whitepapers/Redefining-Defense-in-Depth.aspx
[3]
Mandiant. APT1: Exposing one of China's cyber espionage units. Accessed 11 Jan 2016. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.
[4]
Dietrich, C., Rossow, C., Freiling, F., Bos, H., van Steen M., and Pohlmann, N. 2011. Botnets that use DNS for Command and Control. Proc. of European Conf. on Computer Network Defense.
[5]
Aiello, M., Mongelli, M., and Papaleo, G. 2014. DNS tunneling detection through statistical fingerprints of protocol messages and machine learning. Proc. of the International Journal of Communication Systems. June 2014.
[6]
Farnham, G. Detecting DNS Tunneling. SANS Institute White Paper. February 2013. Accessed 11 Jan 2016. http://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152.
[7]
F5. Scale your DNS Infrastructure. Accessed 11 Jan 2016. https://f5.com/portals/1/pdf/events/Scale-your-DNS-Infrastructure-to-ensure-App-and-Service-Availability.pdf.
[8]
Allard, F., Dubois, R., Gompel, P., and Morel, M. 2010. Tunneling activities detection using machine learning techniques. NATO Research and Technology Organization Symp. on Information Assurance and Cyber Defence.
[9]
Hind, J. 2009. Catching DNS Tunnels with A.I. DefCon 17. 29 July to 2 August 2009. Las Vegas, NV.
[10]
Raman, D. et al. 2013. DNS tunneling for network penetration. Infor. Security and Cryptology 2012. 65--77.
[11]
IETF. Accessed 11 Jan 2016. https://www.ietf.org/
[12]
Breiman, L. 2001. Random forests. Machine Learning. 45(1), 5--32.
[13]
Breiman, L. 1996. Bagging predictors. Machine Learning. 24(2). 123--140.
[14]
Cran R Project. Package Random Forest. Accessed 11 Jan 2016. https://cran.r-project.org/web/packages/randomForest/randomForest.pdf
[15]
Kent, J. T. 1983. Information gain and a general measure of correlation. Biometrika. 70(1).163--173.
[16]
Gowda Karegowda, A., Manjunath A. S., and Jayaram M. A. 2010. Comparative Study of Attribute Selection using Gain Ratio and Correlation Based Feature Selection. Int. J Inf. Tech. & Knowledge Management. 2(2). 271--277.

Cited By

View all
  • (2024)COMPARISON OF MACHINE LEARNING ALGORITHMS FOR DETECTION OF DATA EXFILTRATION OVER DNSYalvaç Akademi Dergisi10.57120/yalvac.15074029:2(61-70)Online publication date: 30-Oct-2024
  • (2024)DNS Exfiltration Guided by Generative Adversarial Networks2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00038(580-599)Online publication date: 8-Jul-2024
  • (2024)Exploring Data Traceability Methods in Information Management Within Universities: An Action Research and Case Study ApproachIEEE Access10.1109/ACCESS.2024.349386012(175196-175217)Online publication date: 2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences
CISRC '16: Proceedings of the 11th Annual Cyber and Information Security Research Conference
April 2016
150 pages
ISBN:9781450337526
DOI:10.1145/2897795
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

  • Oak Ridge National Laboratory

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 April 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Cyber Attacks
  2. Machine Learning
  3. Random Forests
  4. Tunneling

Qualifiers

  • Short-paper
  • Research
  • Refereed limited

Conference

CISRC '16

Acceptance Rates

CISRC '16 Paper Acceptance Rate 11 of 28 submissions, 39%;
Overall Acceptance Rate 69 of 136 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)45
  • Downloads (Last 6 weeks)4
Reflects downloads up to 17 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)COMPARISON OF MACHINE LEARNING ALGORITHMS FOR DETECTION OF DATA EXFILTRATION OVER DNSYalvaç Akademi Dergisi10.57120/yalvac.15074029:2(61-70)Online publication date: 30-Oct-2024
  • (2024)DNS Exfiltration Guided by Generative Adversarial Networks2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00038(580-599)Online publication date: 8-Jul-2024
  • (2024)Exploring Data Traceability Methods in Information Management Within Universities: An Action Research and Case Study ApproachIEEE Access10.1109/ACCESS.2024.349386012(175196-175217)Online publication date: 2024
  • (2024)AutoRoC-DBSCAN: automatic tuning of DBSCAN to detect malicious DNS tunnelsAnnals of Telecommunications10.1007/s12243-024-01025-5Online publication date: 22-Mar-2024
  • (2024)Improving DNS Data Exfiltration Detection Through Temporal AnalysisUbiquitous Security10.1007/978-981-97-1274-8_9(133-146)Online publication date: 13-Mar-2024
  • (2023)Towards a Near-Real-Time Protocol Tunneling Detector Based on Machine Learning TechniquesJournal of Cybersecurity and Privacy10.3390/jcp30400353:4(794-807)Online publication date: 6-Nov-2023
  • (2023)An Adaptive Multitask Network for Detecting the Region of Water Leakage in TunnelsApplied Sciences10.3390/app1310623113:10(6231)Online publication date: 19-May-2023
  • (2023)An adaptive multitask network for detecting the region of water leakage in tunnelsJournal of Intelligent & Fuzzy Systems10.3233/JIFS-224315(1-15)Online publication date: 24-Jul-2023
  • (2023)Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic AnalysisIEEE Transactions on Network and Service Management10.1109/TNSM.2022.321568120:2(2086-2095)Online publication date: Jun-2023
  • (2023)Classifying DNS over HTTPS Malicious/Benign Traffic Using Deep Learning Models2023 10th International Conference on Soft Computing & Machine Intelligence (ISCMI)10.1109/ISCMI59957.2023.10458486(1-5)Online publication date: 25-Nov-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media