Abstract
DNS is a key protocol of the Internet infrastructure, which ensures network connectivity. However, DNS suffers from various threats. In particular, DNS covert communication is one serious threat in enterprise networks, by which attackers establish stealthy communications between internal hosts and remote servers. In this paper, we propose D \({^2}\)C\(^2\) (Detection of DNS Covert Communication), a practical and flexible machine learning-based framework to detect DNS covert communications. D \({^2}\)C\(^2\) is an end-to-end framework contains modular detection models including supervised and unsupervised ones, which detect multiple types of threats efficiently and flexibly. We have deployed D \({^2}\)C\(^2\) in a large commercial bank with 100 millions of DNS queries per day. During the deployment, D \({^2}\)C\(^2\) detected over 4k anomalous DNS communications per day, achieving high precision over 0.97 on average. It uncovers a significant number of unnoticed security issues including seven compromised hosts in the enterprise network.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Asiainfo technologies. https://www.asiainfo.com/en_us/index.html
Capsa network analyzer. http://www.colasoft.com/capsa/
Mcafee global threat intelligence. https://www.mcafee.com/enterprise/en-gb/threat-center/global-threat-intelligence-technology.html
Netlab opendata project. https://data.netlab.360.com/
Top 1 million website in the world. https://majestic.com/reports/majestic-million
Ahmadian, M.M., Shahriari, H.R., Ghaffarian, S.M.: Connection-monitor & connection-breaker: a novel approach for prevention and detection of high survivable ransomwares. In: 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pp. 79–84. IEEE (2015)
Ahmed, J., Gharakheili, H.H., Raza, Q., Russell, C., Sivaraman, V.: Real-time detection of DNS exfiltration and tunneling from enterprise networks. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 649–653. IEEE (2019)
Ahmed, J., Gharakheili, H.H., Raza, Q., Russell, C., Sivaraman, V.: Monitoring enterprise DNS queries for detecting data exfiltration from internal hosts. IEEE Trans. Netw. Serv. Manage. 17, 265–279 (2019)
Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security 12, pp. 491–506 (2012)
Chung, T., et al.: A longitudinal, end-to-end view of the DNSSEC ecosystem. In: USENIX Security 17, pp. 1307–1322 (2017)
Das, A., Shen, M.Y., Shashanka, M., Wang, J.: Detection of exfiltration and tunneling over DNS. In: International Conference on Machine Learning and Applications (ICMLA), pp. 737–742. IEEE (2017)
Eastlake, D.: RFC2535. Domain name system security extensions (1999)
Gao, H., et al.: An empirical reexamination of global DNS behavior. In: Proceedings of the ACM SIGCOMM 2013, pp. 267–278 (2013)
Hassan, W.U., et al.: NoDoze: combatting threat alert fatigue with automated provenance triage. In: NDSS (2019)
Lian, W., Rescorla, E., Shacham, H., Savage, S.: Measuring the practical impact of DNSSEC deployment. In: USENIX Security 13, pp. 573–588 (2013)
Lin, J.: Divergence measures based on the Shannon entropy. IEEE Trans. Inf. Theor. 37(1), 145–151 (1991)
Liska, A., Stowe, G.: DNS Security: Defending the Domain Name System. Syngress (2016)
Liu, B., et al.: Who is answering my queries: understanding and characterizing interception of the DNS resolution path. In: USENIX Security 18, pp. 1113–1128 (2018)
Liu, D., Li, Z., Du, K., Wang, H., Liu, B., Duan, H.: Don’t let one rotten apple spoil the whole barrel: towards automated detection of shadowed domains. In: ACM CCS (2017)
Lynch, C., Andonov, D., Teodorescu, C.: Multigrain - point of sale attackers make an unhealthy addition to the pantry (2016). https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html
Mockapetris, P., et al.: Domain names-implementation and specification. STD 13, RFC 1035 (November 1987)
Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 45–56. IEEE (2015)
Paxson, V., et al.: Practical comprehensive bounds on surreptitious communication over DNS. In: USENIX Security 13, pp. 17–32 (2013)
Pearce, P., et al.: Global measurement of DNS manipulation. In: USENIX Security 17, pp. 307–323 (2017)
Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: USENIX Security 16, pp. 263–278 (2016)
Renaud, R.: Gibberish detector. Website (2015). https://github.com/rrenaud/Gibberish-Detector
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: IMC 2014, pp. 449–460 (2014)
Robert, N., Luke, S.: UDPoS - exfiltrating credit card data via DNS (2018). https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns
Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 192–211. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_11
Schüppen, S., Teubert, D., Herrmann, P., Meyer, U.: FANCI: feature-based automated NXDomain classification and intelligence. In: USENIX Security 18, pp. 1165–1181 (2018)
Sheridan, S., Keane, A.: Detection of DNS based covert channels. In: European Conference on Cyber Warfare and Security, p. 267. Academic Conferences International Limited (2015)
Sivakorn, S., et al.: Countering malicious processes with process-DNS association. In: NDSS (2019)
Sun, X., Tong, M., Yang, J., Xinran, L., Heng, L.: HinDom: a robust malicious domain detection system based on heterogeneous information network with transductive classification. In: RAID 2019, pp. 399–412 (2019)
Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: USENIX Security 14, pp. 191–206 (2014)
Tong, M., et al.: D3N: DGA detection with deep-learning through NXDomain. In: Douligeris, C., Karagiannis, D., Apostolou, D. (eds.) KSEM 2019. LNCS (LNAI), vol. 11775, pp. 464–471. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29551-6_41
Zang, X.D., Gong, J., Mo, S.H., Jakalan, A., Ding, D.L.: Identifying fast-flux botnet with AGD names at the upper DNS hierarchy. IEEE Access 6, 69713–69727 (2018)
Acknowledgment
This work has been supported by the National Key R&D Program of China (2019YFB1802504), the Beijing National Research Center for Information Science and Technology (BNRist) key projects, and has been partially supported by National Natural Science Foundation of China (grants U1736209 & 61572278). We are also very thankful for all those anonymous reviewers who have given valuable comments on this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Tang, R. et al. (2020). A Practical Machine Learning-Based Framework to Detect DNS Covert Communication in Enterprises. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 336. Springer, Cham. https://doi.org/10.1007/978-3-030-63095-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-63095-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63094-2
Online ISBN: 978-3-030-63095-9
eBook Packages: Computer ScienceComputer Science (R0)