Abstract
DNS tunneling is a typical DNS attack that has been used for stealing information for many years. The stolen data is encoded and encapsulated into the DNS request to evade intrusion detection. The popular detection methods of machine learning use features, such as network traffic and DNS behavior. However, most features can only be extracted when data exfiltration occurs, like time-frequency related features. The key to prevent data exfiltration based on DNS tunneling is to detect the malicious query from single DNS request. Since we don’t use the network traffic features and DNS behavior features, our method can detect DNS tunneling before data exfiltration.
In this paper, we propose a detection method based on deep learning models, which uses the DNS query payloads as predictive variables in the models. As the DNS tunneling data is a kind of text, our approach use word embedding as a part of fitting the neural networks, which is a feature extraction method in natural language processing (NLP). In order to achieve high performance, the detection decision is made by these common deep learning models, including dense neural network (DNN), one-dimensional convolutional neural network (1D-CNN) and recurrent neural network (RNN). We implement the DNS tunneling detection system in the real network environment. The results show that our approach achieves 99.90% accuracy and is more secure than existing methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aiello, M., Mongelli, M., Papaleo, G.: Basic classifiers for DNS tunneling detection. In: 2013 IEEE Symposium on Computers and Communications, ISCC 2013, Split, Croatia, 7–10 July 2013, pp. 880–885 (2013)
Almusawi, A., Amintoosi, H.: DNS tunneling detection method based on multilabel support vector machine. Secur. Commun. Netw. 2018, 6137098:1–6137098:9 (2018)
Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis. CoRR abs/1004.4358 (2010)
Born, K., Gustafson, D.: NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis. In: Proceedings of the 6th Cyber Security and Information Intelligence Research Workshop, CSIIRW 2010, Oak Ridge, TN, USA, 21–23 April 2010, p. 47 (2010)
Bushart, J., Rossow, C.: DNS unchained: amplified application-layer DoS attacks against DNS authoritatives. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 139–160. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_7
Cho, K., van Merrienboer, B., Bahdanau, D., Bengio, Y.: On the properties of neural machine translation: encoder-decoder approaches. In: Proceedings of SSST@EMNLP 2014, Eighth Workshop on Syntax, Semantics and Structure in Statistical Translation, Doha, Qatar, 25 October 2014, pp. 103–111 (2014)
Dagon, D., Antonakakis, M., Day, K., Luo, X., Lee, C.P., Lee, W.: Recursive DNS architectures and vulnerability implications. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA, 8th February–11th February 2009 (2009)
Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)
Josefsson, S.: The base16, base32, and base64 data encodings. RFC 4648, 1–18 (2006)
Liu, J., Li, S., Zhang, Y., Xiao, J., Chang, P., Peng, C.: Detecting DNS tunnel through binary-classification based on behavior features. In: 2017 IEEE Trustcom/BigDataSE/ICESS, Sydney, Australia, 1–4 August 2017, pp. 339–346 (2017)
Nadler, A., Aminov, A., Shabtai, A.: Detection of malicious and low throughput data exfiltration over the DNS protocol. Comput. Secur. 80, 36–53 (2019)
Qi, C., Chen, X., Xu, C., Shi, J., Liu, P.: A bigram based real time DNS tunnel detection approach. In: Proceedings of the First International Conference on Information Technology and Quantitative Management, ITQM 2013, Dushu Lake Hotel, Sushou, China, 16–18 May 2013, pp. 852–860 (2013)
Shafieian, S., Smith, D., Zulkernine, M.: Detecting DNS tunneling using ensemble learning. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds.) NSS 2017. LNCS, vol. 10394, pp. 112–127. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64701-2_9
Wiriyathammabhum, P., Summers-Stay, D., Fermüller, C., Aloimonos, Y.: Computer vision and natural language processing: recent approaches in multimedia and robotics. ACM Comput. Surv. 49(4), 71:1–71:44 (2017)
Zang, X., Gong, J., Mo, S., Jakalan, A., Ding, D.: Identifying fast-flux botnet with AGD names at the upper DNS hierarchy. IEEE Access 6, 69713–69727 (2018)
Acknowledgments
We would like to thank the reviewers for their comments. This work was founded by the National Natural Science Foundation of China (61671360, 61672415), the National Key Basic Research Program (2017YFB0801805), the Opening Project of Science and Technology on Communication Networks Laboratory (KX172600024).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhang, J., Yang, L., Yu, S., Ma, J. (2019). A DNS Tunneling Detection Method Based on Deep Learning Models to Prevent Data Exfiltration. In: Liu, J., Huang, X. (eds) Network and System Security. NSS 2019. Lecture Notes in Computer Science(), vol 11928. Springer, Cham. https://doi.org/10.1007/978-3-030-36938-5_32
Download citation
DOI: https://doi.org/10.1007/978-3-030-36938-5_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36937-8
Online ISBN: 978-3-030-36938-5
eBook Packages: Computer ScienceComputer Science (R0)