research-article

NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis

Authors:

David GustafsonAuthors Info & Claims

CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

Article No.: 47, Pages 1 - 4

https://doi.org/10.1145/1852666.1852718

Published: 21 April 2010 Publication History

Abstract

This paper introduced NgViz, a tool that examines DNS traffic and shows anomalies in n-gram frequencies. This is accomplished by comparing input files against a fingerprint of legitimate traffic. Both quantitative analysis and visual aids are provided that allow the user to make determinations about the legitimacy of the DNS traffic.

Supplementary Material

Supplemental material. (a47-born_slides.pdf)

Download
986.09 KB

References

[1]

Borders, K. and Prakash, A. 2004. Web tap: detecting covert web traffic. In CCS'04: Proceedings of the 11^th ACM conference on Computer and Communications Security, New York, NY, ACM Press, 110--120.

Digital Library

[2]

Born, K. and Gustafson, D. 2010. Detecting DNS Tunnels Using Character Frequency Analysis. In Proceedings of the 9^th Annual Security Conference, April 7--8, Las Vegas, Nevada.

[3]

Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L. 2007. Detecting HTTP Tunnels with Statistical Mechanisms. IEEE International Conference on Communications (ICC) '07, 6162--6168.

[4]

Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L. 2008. Detection of Encrypted Tunnels Across Network Boundaries. In Proceedings of the 43^rd IEEE International Conference on Communications (ICC 2008), May 19--23, Beijing, China.

[5]

Dembour, O. Dns2tcp. http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en, Nov 2008.

[6]

Dusi, M., Gringoli, F., Salgarelli, L. 2008. A Preliminary Look at the Privacy of SSH Tunnels. In Proceedings of the 17^th IEEE International Conference on Computer Communications and Networks (ICCN 2008), St. Thomas, U.S. Virgin Islands.

[7]

Hind, Jarod. 2009. Catching DNS Tunnels with A.I. In Proceedings of DefCon 17, July 29--Aug 2, Las Vegas, Nevada.

[8]

Iodine. http://code.kryo.se/iodine/, June 2009.

[9]

Plonka, D., and Barford, P. 2008. Context-aware Clustering of DNS Query Traffic. In Proceedings of the 8^th ACM SIGCOMM Internet Measurement Conference (IMC'08), Oct 20--22, Vouliagmeni, Greece.

Digital Library

[10]

Pcap. 2010. http://en.wikipedia.org/wiki/Pcap.

[11]

Ren, P., Kristoff, J., Gooch, B. 2006. Visualizing DNS Traffic. In Proceedings of the 3^rd International Workshop on Visualization for Computer Security, Oct 30--Nov 3, Alexendria, VA.

Digital Library

[12]

Shannon, C. 1951. Prediction and Entropy of Printed English. The Bell Systems Technical Journal, 30:50--64

[13]

TCP-over-DNS tunnel software HOWTO. http://analogbit.com/tcp-over-dns_howto, July 2008

[14]

Top Sites. http://www.alexa.com/topsites, Nov 2009.

[15]

Zipf, G. 1932. Selective Studies and the Principle of Relative Frequency in Language, Cambridge, Ma.

Cited By

Kumar NSurendiran RSamuel GBhavana NShirgire AMalar AQalid A(2024)Health Care DNS Tunnelling Detection Method via Spiking Neural NetworkEmergent Converging Technologies and Biomedical Systems10.1007/978-981-99-8646-0_56(715-725)Online publication date: 25-Feb-2024
https://doi.org/10.1007/978-981-99-8646-0_56
Weifang ZZhong LYu SNingning KPeng S(2023)Attention-based Mechanism for Anomaly Time Slice Detection in DNS Tunnel Communication2023 IEEE 5th International Conference on Civil Aviation Safety and Information Technology (ICCASIT)10.1109/ICCASIT58768.2023.10351659(767-771)Online publication date: 11-Oct-2023
https://doi.org/10.1109/ICCASIT58768.2023.10351659
Sharma NSwarnkar M(2023)OptiTuneD: An Optimized Framework for Zero-Day DNS Tunnel Detection Using N-Grams2023 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)10.1109/ANTS59832.2023.10469430(177-182)Online publication date: 17-Dec-2023
https://doi.org/10.1109/ANTS59832.2023.10469430
Show More Cited By

Index Terms

NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis
1. Networks
  1. Network services

Recommendations

Network traffic analysis over clustering-based collective anomaly detection
Abstract
Due to the ever-growing presence of network traffic, there has been a considerable amount of research on anomaly detection in network traffic by clustering. Most of them have not considered the problem that collective anomaly detection ...
Diagnosing network-wide traffic anomalies

Anomalies are unusual and significant changes in a network's traffic levels, which can often span multiple links. Diagnosing anomalies is critical for both network operators and end users. It is a difficult problem because one must extract and interpret ...
Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems
Highlights
- A cloud-edge coordinated traffic anomaly detection approach is proposed.
- An anomalous traffic alarm model is used to detect anomalous traffic continuously.
- A feature extraction algorithm is proposed to efficiently extract traffic ...
Abstract
Industrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system’s security and reliability. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

April 2010

257 pages

ISBN:9781450300179

DOI:10.1145/1852666

Editors:
Frederick T. Sheldon
Oak Ridge National Laboratory
,
Stacy Prowell
Oak Ridge National Laboratory
,
Robert K. Abercrombie
Oak Ridge National Laboratory
,
Axel Krings
University of Idaho

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CSIIRW '10

CSIIRW '10: Annual Cyber Security and Information Intelligence Research Workshop

April 21 - 23, 2010

Tennessee, Oak Ridge, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
377
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kumar NSurendiran RSamuel GBhavana NShirgire AMalar AQalid A(2024)Health Care DNS Tunnelling Detection Method via Spiking Neural NetworkEmergent Converging Technologies and Biomedical Systems10.1007/978-981-99-8646-0_56(715-725)Online publication date: 25-Feb-2024
https://doi.org/10.1007/978-981-99-8646-0_56
Weifang ZZhong LYu SNingning KPeng S(2023)Attention-based Mechanism for Anomaly Time Slice Detection in DNS Tunnel Communication2023 IEEE 5th International Conference on Civil Aviation Safety and Information Technology (ICCASIT)10.1109/ICCASIT58768.2023.10351659(767-771)Online publication date: 11-Oct-2023
https://doi.org/10.1109/ICCASIT58768.2023.10351659
Sharma NSwarnkar M(2023)OptiTuneD: An Optimized Framework for Zero-Day DNS Tunnel Detection Using N-Grams2023 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)10.1109/ANTS59832.2023.10469430(177-182)Online publication date: 17-Dec-2023
https://doi.org/10.1109/ANTS59832.2023.10469430
Sugasawa SShibahashi YKunimune HGoromaru HTanimoto S(2022)DNS-tunneling-detection Method by Monitoring DNS Subdomain Length for General Usage2022 IEEE 11th Global Conference on Consumer Electronics (GCCE)10.1109/GCCE56475.2022.10014255(121-122)Online publication date: 18-Oct-2022
https://doi.org/10.1109/GCCE56475.2022.10014255
Wang YZhou ALiao SZheng RHu RZhang L(2022)A comprehensive survey on DNS tunnel detectionComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2021.108322197:COnline publication date: 9-Apr-2022
https://dl.acm.org/doi/10.1016/j.comnet.2021.108322
Wang BXiong GFu PGou GQin YLi Z(2022)A Two-Stage Method for Fine-Grained DNS Covert Tunnel Behavior DetectionScience of Cyber Security10.1007/978-3-031-17551-0_13(201-216)Online publication date: 30-Sep-2022
https://doi.org/10.1007/978-3-031-17551-0_13
Bai HLiu WLiu GDai YHuang S(2021)Application Behavior Identification in DNS Tunnels Based on Spatial-Temporal InformationIEEE Access10.1109/ACCESS.2021.30855009(80639-80653)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3085500
Ahmed JHabibi Gharakheili HRaza QRussell CSivaraman V(2020)Monitoring Enterprise DNS Queries for Detecting Data Exfiltration From Internal HostsIEEE Transactions on Network and Service Management10.1109/TNSM.2019.294073517:1(265-279)Online publication date: Mar-2020
https://doi.org/10.1109/TNSM.2019.2940735
Wu KZhang YYin T(2020)TDAE: Autoencoder-based Automatic Feature Learning Method for the Detection of DNS tunnelICC 2020 - 2020 IEEE International Conference on Communications (ICC)10.1109/ICC40277.2020.9149162(1-7)Online publication date: Jun-2020
https://doi.org/10.1109/ICC40277.2020.9149162
Wang ZDong HChi YZhang JYang TLiu QEmrouznejad AXu Z(2019)DGA and DNS Covert Channel Detection System based on Machine LearningProceedings of the 3rd International Conference on Computer Science and Application Engineering10.1145/3331453.3361663(1-5)Online publication date: 22-Oct-2019
https://dl.acm.org/doi/10.1145/3331453.3361663
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten