Abstract
Domain Name System (DNS) is one of the building blocks of the Internet that plays the key role of translating domain names into IP addresses. DNS can be vulnerable to security threats affecting DNS servers or exploiting the DNS protocol. In this paper, we address DNS protocol exploitation that causes data breaches via DNS tunneling, where an attacker employs techniques to exfiltrate sensitive data from a victim network. This usually happens by breaking the target data into small chunks and encoding them into DNS queries. The malicious DNS queries are then communicated from the target to the attacker machine. These DNS queries will finally be decoded and put together at the attacker side to recover the breached data. Since DNS is a fundamental service, it cannot be blocked in order to mitigate these DNS tunneling attacks. Conventional signature-based intrusion detection systems are not very effective to detect these anomalies, either. Using some of the available DNS tunneling tools we first show how this phenomenon can occur. Then, we discuss our technique which employs a special ensemble of machine learning algorithms to build a robust classifier to detect such attacks. Our ensemble classifier achieves high accuracy and near-zero false positives on a training set based on real benign data and generated malicious DNS traffic.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Detecting DNS tunneling. https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152. Last accessed 14 Apr 2017
DNS root servers. https://www.iana.org/domains/root/servers. Last accessed 14 Apr 2017
Dnscat2 DNS tunneling tool. https://github.com/iagox86/dnscat2. Last accessed 14 Apr 2017
Infoblox security assessment report. https://www.infoblox.com/wp-content/uploads/infoblox-security-assessment-report-2016q2.pdf. Last accessed 14 Apr 2017
Iodine DNS tunneling tool. http://code.kryo.se/iodine. Last accessed 14 Apr 2017
One-hot encoding. https://en.wikipedia.org/wiki/One-hot. Last accessed 14 Apr 2017
Ozyman DNS tunneling tool. https://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple. Last accessed 14 Apr 2017
Pearson correlation coefficient. https://en.wikipedia.org/wiki/Pearson_product-moment_correlation_coefficient. Last accessed 14 Apr 2017
Proxy bypassing by DNS tunneling. http://resources.infosecinstitute.com/dns-tunnelling/. Last accessed 8 June 2017
Aiello, M., Mongelli, M., Papaleo, G.: Supervised learning approaches with majority voting for DNS tunneling detection. In: Puerta, J.G., Ferreira, I.G., Bringas, P.G., Klett, F., Abraham, A., Carvalho, A.C.P.L.F., Herrero, Á., Baruque, B., Quintián, H., Corchado, E. (eds.) International Joint Conference SOCO’14-CISIS’14-ICEUTE’14. AISC, vol. 299, pp. 463–472. Springer, Cham (2014). doi:10.1007/978-3-319-07995-0_46
Allard, F., Dubois, R., Gompel, P., Morel, M.: Tunneling activities detection using machine learning techniques. Technical report, DTIC Document (2010)
Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis (2010). arXiv preprint: arXiv:1004.4358
Buczak, A.L., Hanke, P.A., Cancro, G.J., Toma, M.K., Watkins, L.A., Chavis, J.S.: Detection of tunnels in PCAP data by random forests. In: Proceedings of the 11th Annual Cyber and Information Security Research Conference, p. 16. ACM (2016)
Dietterich, T.G.: Ensemble methods in machine learning. In: Kittler, J., Roli, F. (eds.) MCS 2000. LNCS, vol. 1857, pp. 1–15. Springer, Heidelberg (2000). doi:10.1007/3-540-45014-9_1
Geng, X., Smith-Miles, K.: Incremental Learning, pp. 731–735. Springer, Boston (2009)
Kulkarni, V.Y., Petare, M., Sinha, P.K.: Analyzing random forest classifier with different split measures. In: Babu, B.V., Nagar, A., Deep, K., Pant, M., Bansal, J.C., Ray, K., Gupta, U. (eds.) Proceedings of the Second International Conference on Soft Computing for Problem Solving (SocProS 2012). AISC, vol. 236, pp. 691–699. Springer, New Delhi (2014). doi:10.1007/978-81-322-1602-5_74
Oshiro, T.M., Perez, P.S., Baranauskas, J.A.: How many trees in a random forest? In: Perner, P. (ed.) MLDM 2012. LNCS (LNAI), vol. 7376, pp. 154–168. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31537-4_13
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: Dnssec and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 449–460. ACM (2014)
Schales, D., Jang, J., Wang, T., Hu, X., Kirat, D., Wuest, B., Stoecklin, M.P.: Scalable analytics to detect DNS misuse for establishing stealthy communication channels. IBM J. Res. Dev. 60(4), 3:1–3:14 (2016)
Shafieian, S., Zulkernine, M., Haque, A.: Attacks in public clouds: can they hinder the rise of the cloud? In: Mahmood, Z. (ed.) Cloud Computing. Computer Communications and Networks, pp. 3–22. Springer, Cham (2014)
Shannon, C.E.: Prediction and entropy of printed english. Bell Syst. Tech. J. 30(1), 50–64 (1951)
Tulyakov, S., Jaeger, S., Govindaraju, V., Doermann, D.: Review of classifier combination methods. In: Marinai, S., Fujisawa, H. (eds.) Machine Learning in Document Analysis and Recognition. SCI, vol. 90, pp. 361–386. Springer, Heidelberg (2008)
Van Leijenhorst, T., Chin, K.W., Lowe, D.: On the viability and performance of DNS tunneling (2008)
Villamarín-Salomón, R., Brustoloni, J.C.: Identifying botnets using anomaly detection techniques applied to DNS traffic. In: 2008 5th IEEE Consumer Communications and Networking Conference, pp. 476–481. IEEE (2008)
Wang, Z.: Combating malicious DNS tunnel (2016). arXiv preprint: arXiv:1605.01401
Welch, T.A.: A technique for high-performance data compression. Computer 17(6), 8–19 (1984)
Xu, K., Butler, P., Saha, S., Yao, D.: DNS for massive-scale command and control. IEEE Trans. Dependable Secure Comput. 10(3), 143–153 (2013)
Yuchi, X., Wang, X., Lee, X., Yan, B.: A new statistical approach to DNS traffic anomaly detection. In: Cao, L., Zhong, J., Feng, Y. (eds.) ADMA 2010, Part II. LNCS, vol. 6441, pp. 302–313. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17313-4_30
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Shafieian, S., Smith, D., Zulkernine, M. (2017). Detecting DNS Tunneling Using Ensemble Learning. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)