Skip to main content
SpringerLink
Log in

Detecting DNS Tunneling Using Ensemble Learning

  • Conference paper
  • First Online:
Network and System Security (NSS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10394))

Included in the following conference series:

Abstract

Domain Name System (DNS) is one of the building blocks of the Internet that plays the key role of translating domain names into IP addresses. DNS can be vulnerable to security threats affecting DNS servers or exploiting the DNS protocol. In this paper, we address DNS protocol exploitation that causes data breaches via DNS tunneling, where an attacker employs techniques to exfiltrate sensitive data from a victim network. This usually happens by breaking the target data into small chunks and encoding them into DNS queries. The malicious DNS queries are then communicated from the target to the attacker machine. These DNS queries will finally be decoded and put together at the attacker side to recover the breached data. Since DNS is a fundamental service, it cannot be blocked in order to mitigate these DNS tunneling attacks. Conventional signature-based intrusion detection systems are not very effective to detect these anomalies, either. Using some of the available DNS tunneling tools we first show how this phenomenon can occur. Then, we discuss our technique which employs a special ensemble of machine learning algorithms to build a robust classifier to detect such attacks. Our ensemble classifier achieves high accuracy and near-zero false positives on a training set based on real benign data and generated malicious DNS traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Detecting DNS tunneling. https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152. Last accessed 14 Apr 2017

  2. DNS root servers. https://www.iana.org/domains/root/servers. Last accessed 14 Apr 2017

  3. Dnscat2 DNS tunneling tool. https://github.com/iagox86/dnscat2. Last accessed 14 Apr 2017

  4. Infoblox security assessment report. https://www.infoblox.com/wp-content/uploads/infoblox-security-assessment-report-2016q2.pdf. Last accessed 14 Apr 2017

  5. Iodine DNS tunneling tool. http://code.kryo.se/iodine. Last accessed 14 Apr 2017

  6. One-hot encoding. https://en.wikipedia.org/wiki/One-hot. Last accessed 14 Apr 2017

  7. Ozyman DNS tunneling tool. https://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple. Last accessed 14 Apr 2017

  8. Pearson correlation coefficient. https://en.wikipedia.org/wiki/Pearson_product-moment_correlation_coefficient. Last accessed 14 Apr 2017

  9. Proxy bypassing by DNS tunneling. http://resources.infosecinstitute.com/dns-tunnelling/. Last accessed 8 June 2017

  10. Aiello, M., Mongelli, M., Papaleo, G.: Supervised learning approaches with majority voting for DNS tunneling detection. In: Puerta, J.G., Ferreira, I.G., Bringas, P.G., Klett, F., Abraham, A., Carvalho, A.C.P.L.F., Herrero, Á., Baruque, B., Quintián, H., Corchado, E. (eds.) International Joint Conference SOCO’14-CISIS’14-ICEUTE’14. AISC, vol. 299, pp. 463–472. Springer, Cham (2014). doi:10.1007/978-3-319-07995-0_46

    Google Scholar 

  11. Allard, F., Dubois, R., Gompel, P., Morel, M.: Tunneling activities detection using machine learning techniques. Technical report, DTIC Document (2010)

    Google Scholar 

  12. Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis (2010). arXiv preprint: arXiv:1004.4358

  13. Buczak, A.L., Hanke, P.A., Cancro, G.J., Toma, M.K., Watkins, L.A., Chavis, J.S.: Detection of tunnels in PCAP data by random forests. In: Proceedings of the 11th Annual Cyber and Information Security Research Conference, p. 16. ACM (2016)

    Google Scholar 

  14. Dietterich, T.G.: Ensemble methods in machine learning. In: Kittler, J., Roli, F. (eds.) MCS 2000. LNCS, vol. 1857, pp. 1–15. Springer, Heidelberg (2000). doi:10.1007/3-540-45014-9_1

    Chapter  Google Scholar 

  15. Geng, X., Smith-Miles, K.: Incremental Learning, pp. 731–735. Springer, Boston (2009)

    Google Scholar 

  16. Kulkarni, V.Y., Petare, M., Sinha, P.K.: Analyzing random forest classifier with different split measures. In: Babu, B.V., Nagar, A., Deep, K., Pant, M., Bansal, J.C., Ray, K., Gupta, U. (eds.) Proceedings of the Second International Conference on Soft Computing for Problem Solving (SocProS 2012). AISC, vol. 236, pp. 691–699. Springer, New Delhi (2014). doi:10.1007/978-81-322-1602-5_74

    Google Scholar 

  17. Oshiro, T.M., Perez, P.S., Baranauskas, J.A.: How many trees in a random forest? In: Perner, P. (ed.) MLDM 2012. LNCS (LNAI), vol. 7376, pp. 154–168. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31537-4_13

    Chapter  Google Scholar 

  18. van Rijswijk-Deij, R., Sperotto, A., Pras, A.: Dnssec and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 449–460. ACM (2014)

    Google Scholar 

  19. Schales, D., Jang, J., Wang, T., Hu, X., Kirat, D., Wuest, B., Stoecklin, M.P.: Scalable analytics to detect DNS misuse for establishing stealthy communication channels. IBM J. Res. Dev. 60(4), 3:1–3:14 (2016)

    Article  Google Scholar 

  20. Shafieian, S., Zulkernine, M., Haque, A.: Attacks in public clouds: can they hinder the rise of the cloud? In: Mahmood, Z. (ed.) Cloud Computing. Computer Communications and Networks, pp. 3–22. Springer, Cham (2014)

    Google Scholar 

  21. Shannon, C.E.: Prediction and entropy of printed english. Bell Syst. Tech. J. 30(1), 50–64 (1951)

    Article  MATH  Google Scholar 

  22. Tulyakov, S., Jaeger, S., Govindaraju, V., Doermann, D.: Review of classifier combination methods. In: Marinai, S., Fujisawa, H. (eds.) Machine Learning in Document Analysis and Recognition. SCI, vol. 90, pp. 361–386. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  23. Van Leijenhorst, T., Chin, K.W., Lowe, D.: On the viability and performance of DNS tunneling (2008)

    Google Scholar 

  24. Villamarín-Salomón, R., Brustoloni, J.C.: Identifying botnets using anomaly detection techniques applied to DNS traffic. In: 2008 5th IEEE Consumer Communications and Networking Conference, pp. 476–481. IEEE (2008)

    Google Scholar 

  25. Wang, Z.: Combating malicious DNS tunnel (2016). arXiv preprint: arXiv:1605.01401

  26. Welch, T.A.: A technique for high-performance data compression. Computer 17(6), 8–19 (1984)

    Article  Google Scholar 

  27. Xu, K., Butler, P., Saha, S., Yao, D.: DNS for massive-scale command and control. IEEE Trans. Dependable Secure Comput. 10(3), 143–153 (2013)

    Article  Google Scholar 

  28. Yuchi, X., Wang, X., Lee, X., Yan, B.: A new statistical approach to DNS traffic anomaly detection. In: Cao, L., Zhong, J., Feng, Y. (eds.) ADMA 2010, Part II. LNCS, vol. 6441, pp. 302–313. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17313-4_30

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing, Queen’s University, Kingston, Canada

    Saeed Shafieian & Mohammad Zulkernine

  2. Trend Micro Canada Technologies Inc., Ottawa, Canada

    Saeed Shafieian & Daniel Smith

Authors
  1. Saeed Shafieian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Smith
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohammad Zulkernine
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Saeed Shafieian .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Zheng Yan

  2. Eurecom, Sophia Antipolos, Valbonne, France

    Refik Molva

  3. Warsaw University of Technology, Warsaw, Poland

    Wojciech Mazurczyk

  4. Aalto University, Espoo, Finland

    Raimo Kantola

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Shafieian, S., Smith, D., Zulkernine, M. (2017). Detecting DNS Tunneling Using Ensemble Learning. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64701-2_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64700-5

  • Online ISBN: 978-3-319-64701-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation