More Web Proxy on the site http://driver.im/

short-paper

Detection of Tunnels in PCAP Data by Random Forests

Authors:

Anna L. Buczak,

George J. Cancro,

Michael K. Toma,

Lanier A. Watkins,

Jeffrey S. ChavisAuthors Info & Claims

CISRC '16: Proceedings of the 11th Annual Cyber and Information Security Research Conference

Article No.: 16, Pages 1 - 4

https://doi.org/10.1145/2897795.2897804

Published: 05 April 2016 Publication History

Abstract

This paper describes an approach for detecting the presence of domain name system (DNS) tunnels in network traffic. DNS tunneling is a common technique hackers use to establish command and control nodes and to exfiltrate data from networks. To generate the training data sufficient to build models to detect DNS tunneling activity, a penetration testing effort was employed. We extracted features from this data and trained random forest classifiers to distinguish normal DNS activity from tunneling activity. The classifiers successfully detected the presence of tunnels we trained on, and four other types of tunnels that were not a part of the training set.

References

[1]

Virvilis, N. and Gritzalis, D. 2013. The big four -- What we did wrong in advanced persistent threat detection? 8th Int. Conf. on Availability, Reliability and Security (ARES). 248--254.

Digital Library

[2]

Lumension. Redefining-Defense-in-Depth. Accessed 11 Jan 2016. https://www.lumension.com/Media_Files/Documents/Marketing---Sales/Whitepapers/Redefining-Defense-in-Depth.aspx

[3]

Mandiant. APT1: Exposing one of China's cyber espionage units. Accessed 11 Jan 2016. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.

[4]

Dietrich, C., Rossow, C., Freiling, F., Bos, H., van Steen M., and Pohlmann, N. 2011. Botnets that use DNS for Command and Control. Proc. of European Conf. on Computer Network Defense.

Digital Library

[5]

Aiello, M., Mongelli, M., and Papaleo, G. 2014. DNS tunneling detection through statistical fingerprints of protocol messages and machine learning. Proc. of the International Journal of Communication Systems. June 2014.

Digital Library

[6]

Farnham, G. Detecting DNS Tunneling. SANS Institute White Paper. February 2013. Accessed 11 Jan 2016. http://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152.

[7]

F5. Scale your DNS Infrastructure. Accessed 11 Jan 2016. https://f5.com/portals/1/pdf/events/Scale-your-DNS-Infrastructure-to-ensure-App-and-Service-Availability.pdf.

[8]

Allard, F., Dubois, R., Gompel, P., and Morel, M. 2010. Tunneling activities detection using machine learning techniques. NATO Research and Technology Organization Symp. on Information Assurance and Cyber Defence.

[9]

Hind, J. 2009. Catching DNS Tunnels with A.I. DefCon 17. 29 July to 2 August 2009. Las Vegas, NV.

[10]

Raman, D. et al. 2013. DNS tunneling for network penetration. Infor. Security and Cryptology 2012. 65--77.

Digital Library

[11]

IETF. Accessed 11 Jan 2016. https://www.ietf.org/

[12]

Breiman, L. 2001. Random forests. Machine Learning. 45(1), 5--32.

Digital Library

[13]

Breiman, L. 1996. Bagging predictors. Machine Learning. 24(2). 123--140.

[14]

Cran R Project. Package Random Forest. Accessed 11 Jan 2016. https://cran.r-project.org/web/packages/randomForest/randomForest.pdf

[15]

Kent, J. T. 1983. Information gain and a general measure of correlation. Biometrika. 70(1).163--173.

[16]

Gowda Karegowda, A., Manjunath A. S., and Jayaram M. A. 2010. Comparative Study of Attribute Selection using Gain Ratio and Correlation Based Feature Selection. Int. J Inf. Tech. & Knowledge Management. 2(2). 271--277.

Cited By

Açıkgözoğlu E(2024)COMPARISON OF MACHINE LEARNING ALGORITHMS FOR DETECTION OF DATA EXFILTRATION OVER DNSYalvaç Akademi Dergisi10.57120/yalvac.15074029:2(61-70)Online publication date: 30-Oct-2024
https://doi.org/10.57120/yalvac.1507402
Fahim AZhu SQian ZSong CPapalexakis EChakraborty SChan KYu PJaeger TKrishnamurthy S(2024)DNS Exfiltration Guided by Generative Adversarial Networks2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00038(580-599)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00038
Chen HHu Z(2024)Exploring Data Traceability Methods in Information Management Within Universities: An Action Research and Case Study ApproachIEEE Access10.1109/ACCESS.2024.349386012(175196-175217)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3493860
Show More Cited By

Recommendations

Lightweight Hybrid Detection of Data Exfiltration using DNS based on Machine Learning
ICCNS '21: Proceedings of the 2021 11th International Conference on Communication and Network Security

Domain Name System (DNS) is a popular way to steal sensitive information from enterprise networks and maintain a covert tunnel for command and control communications with a malicious server. Due to the significant role of DNS services, enterprises ...
Supervised heterogeneous transfer learning using random forests
CODS-COMAD '18: Proceedings of the ACM India Joint International Conference on Data Science and Management of Data

Supervised transfer learning algorithms utilize labeled data from auxiliary domains for learning in another domain where labeled data is scarce or absent. Given sufficient cross-domain corresponding instances, one can learn a robust transformation that ...
Training Big Random Forests with Little Resources
KDD '18: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining

Without access to large compute clusters, building random forests on large datasets is still a challenging problem. This is, in particular, the case if fully-grown trees are desired. We propose a simple yet effective framework that allows to efficiently ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

CISRC '16: Proceedings of the 11th Annual Cyber and Information Security Research Conference

April 2016

150 pages

ISBN:9781450337526

DOI:10.1145/2897795

General Chairs:
Joseph P. Trien
Oak Ridge National Laboratory
,
Stacy J. Prowell
Oak Ridge National Laboratory
,
John R. Goodall
Oak Ridge National Laboratory
,
Program Chair:
Robert A. Bridges
Oak Ridge National Laboratory

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

Oak Ridge National Laboratory

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 April 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Conference

CISRC '16

CISRC '16: 11th Annual Cyber and Information Security Research

April 5 - 7, 2016

TN, Oak Ridge, USA

Acceptance Rates

CISRC '16 Paper Acceptance Rate 11 of 28 submissions, 39%;

Overall Acceptance Rate 69 of 136 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
652
Total Downloads

Downloads (Last 12 months)45
Downloads (Last 6 weeks)4

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Açıkgözoğlu E(2024)COMPARISON OF MACHINE LEARNING ALGORITHMS FOR DETECTION OF DATA EXFILTRATION OVER DNSYalvaç Akademi Dergisi10.57120/yalvac.15074029:2(61-70)Online publication date: 30-Oct-2024
https://doi.org/10.57120/yalvac.1507402
Fahim AZhu SQian ZSong CPapalexakis EChakraborty SChan KYu PJaeger TKrishnamurthy S(2024)DNS Exfiltration Guided by Generative Adversarial Networks2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00038(580-599)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00038
Chen HHu Z(2024)Exploring Data Traceability Methods in Information Management Within Universities: An Action Research and Case Study ApproachIEEE Access10.1109/ACCESS.2024.349386012(175196-175217)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3493860
Nguyen TLaborde RBenzekri AOglaza AMounsif M(2024)AutoRoC-DBSCAN: automatic tuning of DBSCAN to detect malicious DNS tunnelsAnnals of Telecommunications10.1007/s12243-024-01025-5Online publication date: 22-Mar-2024
https://doi.org/10.1007/s12243-024-01025-5
Spathoulas GAnagnostopoulos MPapageorgiou KKavallieratos GTheodoridis G(2024)Improving DNS Data Exfiltration Detection Through Temporal AnalysisUbiquitous Security10.1007/978-981-97-1274-8_9(133-146)Online publication date: 13-Mar-2024
https://doi.org/10.1007/978-981-97-1274-8_9
Sobrero FClavarezza BUcci DBisio F(2023)Towards a Near-Real-Time Protocol Tunneling Detector Based on Machine Learning TechniquesJournal of Cybersecurity and Privacy10.3390/jcp30400353:4(794-807)Online publication date: 6-Nov-2023
https://doi.org/10.3390/jcp3040035
Zhao LWang JLiu SYang X(2023)An Adaptive Multitask Network for Detecting the Region of Water Leakage in TunnelsApplied Sciences10.3390/app1310623113:10(6231)Online publication date: 19-May-2023
https://doi.org/10.3390/app13106231
Zhao LWang JLiu SYang X(2023)An adaptive multitask network for detecting the region of water leakage in tunnelsJournal of Intelligent & Fuzzy Systems10.3233/JIFS-224315(1-15)Online publication date: 24-Jul-2023
https://doi.org/10.3233/JIFS-224315
Mitsuhashi RJin YIida KShinagawa TTakai Y(2023)Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic AnalysisIEEE Transactions on Network and Service Management10.1109/TNSM.2022.321568120:2(2086-2095)Online publication date: Jun-2023
https://doi.org/10.1109/TNSM.2022.3215681
Chougule MK PP. P AViswanathan SRavichandran KSethumadhavan MRahimi MGandomi A(2023)Classifying DNS over HTTPS Malicious/Benign Traffic Using Deep Learning Models2023 10th International Conference on Soft Computing & Machine Intelligence (ISCMI)10.1109/ISCMI59957.2023.10458486(1-5)Online publication date: 25-Nov-2023
https://doi.org/10.1109/ISCMI59957.2023.10458486
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents