Skip to main content
SpringerLink
Log in

Visualization of DNS Tunneling Attacks Using Parallel Coordinates Technique

  • Conference paper
  • First Online:
Security, Privacy, and Anonymity in Computation, Communication, and Storage (SpaCCS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 11611))

Abstract

The Domain Name System (DNS) is considered one of the most critical protocols on the Internet. The DNS translates readable domain names into Internet Protocol (IP) addresses and vice-versa. The DNS tunneling attack uses DNS to create a covert channel for bypassing the firewall and performing command and control functions from within a compromised network or to transfer data to and from the network. There is work for detecting attacks that use DNS but little work focusing on the DNS tunneling attack. In this work, we introduce a fast and scalable approach, using the parallel coordinates technique, visualizing a malicious DNS tunneling attack within the large amount of network traffic. The DNS tunneling attack was performed in order to study the differences between the normal and the malicious traffic. Based on different scenarios, four different DNS tunneling graphical patterns were defined for distinguishing between normal DNS traffic and malicious traffic containing DNS tunneling attacks. Finally, the proposed system was able to visualize the DNS tunneling attack efficiently for the future work of creating an efficient detection system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. The Go programming language. https://golang.org/. Accessed 06 Feb 2019

  2. Panda - python data analysis library. https://pandas.pydata.org/. Accessed 06 Nov 2018

  3. The R project for statistical computing. https://www.r-project.org/. Accessed 06 Nov 2018

  4. Born, K., Gustafson, D.: NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research - CSIIRW 2010 (2010). https://doi.org/10.1145/1852666.1852718

  5. Choi, H., Lee, H., Kim, H.: Fast detection and visualization of network attacks on parallel coordinates. Comput. Secur. (2009). https://doi.org/10.1016/j.cose.2008.12.003

    Article  Google Scholar 

  6. Cuzzocrea, A., Zall, D.: Parallel coordinates technique in visual data mining: advantages, disadvantages and combinations. In: 2013 17th International Conference on Information Visualisation, pp. 278–284, July 2013. https://doi.org/10.1109/IV.2013.96

  7. Das, A., Shen, M.Y., Shashanka, M., Wang, J.: Detection of exfiltration and tunneling over DNS. In: Proceedings - 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017 (2018). https://doi.org/10.1109/ICMLA.2017.00-71

  8. Farnham, G., Atlasis, A.: Detecting DNS Tunneling Detecting DNS Tunneling GIAC (GCIA) Gold Certification Detecting DNS Tunneling 2. sans.org (2013)

    Google Scholar 

  9. Green, A.: DNSMessenger: 2017’s most beloved remote access Trojan (Rat), December 2017. https://bit.ly/2BxBz6O

  10. Grunzweig, J., Scott, M., Lee, B.: New wekby attacks use DNS requests as command and control mechanism, May 2016. http://bit.ly/1TAYE8j

  11. Incapsula, I.: DNS flood (2017). https://www.incapsula.com/ddos/attack-glossary/dns-flood.html. Accessed 06 Feb 2019

  12. Kim, I., Choi, H., Lee, H.: BotXrayer: exposing botnets by visualizing DNS traffic. In: KSII the First International Conference on Internet (ICONI) (2009)

    Google Scholar 

  13. Liu, J., Li, S., Zhang, Y., Xiao, J., Chang, P., Peng, C.: Detecting DNS tunnel through binary-classification based on behavior features. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 339–346, August 2017. https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.256

  14. Revelli, A., Leidecker, N.: Introducing heyoka: DNS tunneling 2.0 (2009). http://heyoka.sourceforge.net/Heyoka-SOURCEBoston2009.pdf. Accessed 07 Feb 2019

  15. Satam, P., Alipour, H., Al-Nashif, Y., Hariri, S.: DNS-IDS: securing DNS in the cloud era. In: 2015 International Conference on Cloud and Autonomic Computing, pp. 296–301, September 2015. https://doi.org/10.1109/ICCAC.2015.46

  16. Steve Jaworski, R.W.: Using splunk to detect DNS tunneling. Technical report (2016). https://doi.org/10.1055/s-2006-941504

    Article  Google Scholar 

  17. Verisign: Framework for resilient DNS security (2018). https://blog.verisign.com/security/framework-resilient-dns-security-dns-availability-drives-business/. Accessed 01 Aug 2018

  18. Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: M. Hämmerli, B., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129–139. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73614-1_8

    Chapter  Google Scholar 

Download references

Acknowledgments

This material is based upon work funded by Republic of Iraq Ministry of Higher Education and Scientific Research (MOHESR).

Author information

Authors and Affiliations

  1. Department of Computer Science and Computer Engineering, University of Arkansas, Fayetteville, AR, 72701, USA

    Yasir F. Mohammed & Dale R. Thompson

Authors
  1. Yasir F. Mohammed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dale R. Thompson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yasir F. Mohammed .

Editor information

Editors and Affiliations

  1. Guangzhou University, Guangzhou, China

    Guojun Wang

  2. Huazhong University of Science and Technology, Wuhan, China

    Jun Feng

  3. Fordham University, New York City, NY, USA

    Md Zakirul Alam Bhuiyan

  4. University of New Brunswick, Fredericton, NB, Canada

    Rongxing Lu

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mohammed, Y.F., Thompson, D.R. (2019). Visualization of DNS Tunneling Attacks Using Parallel Coordinates Technique. In: Wang, G., Feng, J., Bhuiyan, M., Lu, R. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2019. Lecture Notes in Computer Science(), vol 11611. Springer, Cham. https://doi.org/10.1007/978-3-030-24907-6_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-24907-6_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-24906-9

  • Online ISBN: 978-3-030-24907-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation