Abstract
The Domain Name System (DNS) is considered one of the most critical protocols on the Internet. The DNS translates readable domain names into Internet Protocol (IP) addresses and vice-versa. The DNS tunneling attack uses DNS to create a covert channel for bypassing the firewall and performing command and control functions from within a compromised network or to transfer data to and from the network. There is work for detecting attacks that use DNS but little work focusing on the DNS tunneling attack. In this work, we introduce a fast and scalable approach, using the parallel coordinates technique, visualizing a malicious DNS tunneling attack within the large amount of network traffic. The DNS tunneling attack was performed in order to study the differences between the normal and the malicious traffic. Based on different scenarios, four different DNS tunneling graphical patterns were defined for distinguishing between normal DNS traffic and malicious traffic containing DNS tunneling attacks. Finally, the proposed system was able to visualize the DNS tunneling attack efficiently for the future work of creating an efficient detection system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
The Go programming language. https://golang.org/. Accessed 06 Feb 2019
Panda - python data analysis library. https://pandas.pydata.org/. Accessed 06 Nov 2018
The R project for statistical computing. https://www.r-project.org/. Accessed 06 Nov 2018
Born, K., Gustafson, D.: NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research - CSIIRW 2010 (2010). https://doi.org/10.1145/1852666.1852718
Choi, H., Lee, H., Kim, H.: Fast detection and visualization of network attacks on parallel coordinates. Comput. Secur. (2009). https://doi.org/10.1016/j.cose.2008.12.003
Cuzzocrea, A., Zall, D.: Parallel coordinates technique in visual data mining: advantages, disadvantages and combinations. In: 2013 17th International Conference on Information Visualisation, pp. 278–284, July 2013. https://doi.org/10.1109/IV.2013.96
Das, A., Shen, M.Y., Shashanka, M., Wang, J.: Detection of exfiltration and tunneling over DNS. In: Proceedings - 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017 (2018). https://doi.org/10.1109/ICMLA.2017.00-71
Farnham, G., Atlasis, A.: Detecting DNS Tunneling Detecting DNS Tunneling GIAC (GCIA) Gold Certification Detecting DNS Tunneling 2. sans.org (2013)
Green, A.: DNSMessenger: 2017’s most beloved remote access Trojan (Rat), December 2017. https://bit.ly/2BxBz6O
Grunzweig, J., Scott, M., Lee, B.: New wekby attacks use DNS requests as command and control mechanism, May 2016. http://bit.ly/1TAYE8j
Incapsula, I.: DNS flood (2017). https://www.incapsula.com/ddos/attack-glossary/dns-flood.html. Accessed 06 Feb 2019
Kim, I., Choi, H., Lee, H.: BotXrayer: exposing botnets by visualizing DNS traffic. In: KSII the First International Conference on Internet (ICONI) (2009)
Liu, J., Li, S., Zhang, Y., Xiao, J., Chang, P., Peng, C.: Detecting DNS tunnel through binary-classification based on behavior features. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 339–346, August 2017. https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.256
Revelli, A., Leidecker, N.: Introducing heyoka: DNS tunneling 2.0 (2009). http://heyoka.sourceforge.net/Heyoka-SOURCEBoston2009.pdf. Accessed 07 Feb 2019
Satam, P., Alipour, H., Al-Nashif, Y., Hariri, S.: DNS-IDS: securing DNS in the cloud era. In: 2015 International Conference on Cloud and Autonomic Computing, pp. 296–301, September 2015. https://doi.org/10.1109/ICCAC.2015.46
Steve Jaworski, R.W.: Using splunk to detect DNS tunneling. Technical report (2016). https://doi.org/10.1055/s-2006-941504
Verisign: Framework for resilient DNS security (2018). https://blog.verisign.com/security/framework-resilient-dns-security-dns-availability-drives-business/. Accessed 01 Aug 2018
Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: M. Hämmerli, B., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129–139. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73614-1_8
Acknowledgments
This material is based upon work funded by Republic of Iraq Ministry of Higher Education and Scientific Research (MOHESR).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Mohammed, Y.F., Thompson, D.R. (2019). Visualization of DNS Tunneling Attacks Using Parallel Coordinates Technique. In: Wang, G., Feng, J., Bhuiyan, M., Lu, R. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2019. Lecture Notes in Computer Science(), vol 11611. Springer, Cham. https://doi.org/10.1007/978-3-030-24907-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-24907-6_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-24906-9
Online ISBN: 978-3-030-24907-6
eBook Packages: Computer ScienceComputer Science (R0)