research-article

DGA and DNS Covert Channel Detection System based on Machine Learning

Authors:

Qixu LiuAuthors Info & Claims

CSAE '19: Proceedings of the 3rd International Conference on Computer Science and Application Engineering

Article No.: 156, Pages 1 - 5

https://doi.org/10.1145/3331453.3361663

Published: 22 October 2019 Publication History

Get Access

Abstract

In recent years, the application of covert channel to ensure network security has attracted more and more attention from scholars and network attackers, but the research on its detection is relatively few. We propose a DGA and DNS covert channel detection system based machine learning, using improved TF-IDF, specificity score and other algorithms to detect malicious domain names. The experimental results show that the accuracy of the system in detecting malicious domain names is 99.92%.

References

[1]

Nussbaum L, Neyron P, Richard O (2009). On Robust Covert Channels Inside DNS[C]. Emerging Challenges for Security, Privacy & Trust, Ifip Tc 11 International Information Security Conference.

Google Scholar

[2]

Aiello M, Merlo A, Papaleo G (2013). Performance assessment and analysis of DNS tunneling tools[J]. Logic Journal of IGPL, 21(4), 592--602.

Crossref

Google Scholar

[3]

Crotti M, Dusi M, Gringoli F, et al (2007). Detecting HTTP Tunnels with Statistical Mechanisms[C]. Communications, 2007. ICC '07. IEEE International Conference on. IEEE.

Google Scholar

[4]

Dusi M, Crotti M, Gringoli F, et al (2009). Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting[J]. Computer Networks, 53(1), 81--97.

Digital Library

Google Scholar

[5]

Marchal S, Francois J, Wagner C, et al (2012). DNSSM: A large scale passive DNS security monitoring framework[J]. Network Operations & Management Symposium IEEE, 131(5), 988--993.

Google Scholar

[6]

Casas P, Mazel J, Owezarski P (2011). MINETRAC: Mining flows for unsupervised analysis & semi-supervised classification[C]. Teletraffic Congress (ITC). 2011--23rd International. IEEE.

Google Scholar

[7]

Bilge L, Kirda E, Kruegel C, et al (2011). EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis[C] Proceedings of the ISOC Network and Distributed System Security Symposium.

Google Scholar

[8]

V. Paxson, Behavioral Detection of Stealthy Intruders[EB], https://seclab.cs.ucsb.edu/academic/projects/projects/cybaware/2011.

Google Scholar

[9]

Born K, Gustafson D (2010). Detecting DNS Tunnels Using Character Frequency Analysis[J].

Google Scholar

[10]

Born K (2010). NgViz: Detecting DNS Tunnels through N-Gram Visualization and Quantitative Analysis[C]. Workshop on Cyber Security & Information Intelligence Research.

Digital Library

Google Scholar

[11]

Gu Chuanzheng (2012). Research on Construction and Detection of covert Channel in DNS Protocol [D]. Shanghai Jiaotong University.

Google Scholar

[12]

Zhang Siyu, Zou Futai, Wang Luhua, et al (2013). Covert channel traffic detection based on DNS [J]. Journal of Communications, 2013(5), 143--151.

Google Scholar

[13]

Yang Jianqiang, Jiang Hongxi (2016). DNS covert channel detection based on the number of FQDN in secondary domain names [J]. Computer Age, 2016 (2), 53 to 55.

Google Scholar

Cited By

View all

Khadse MDakhane D(2024)A Review on Network Covert Channel Construction and Attack DetectionConcurrency and Computation: Practice and Experience10.1002/cpe.831637:1Online publication date: 26-Oct-2024
https://doi.org/10.1002/cpe.8316
Sui ZShu HKang FHuang YHuo G(2023)A Comprehensive Review of Tunnel Detection on Multilayer Protocols: From Traditional to Machine Learning ApproachesApplied Sciences10.3390/app1303197413:3(1974)Online publication date: 3-Feb-2023
https://doi.org/10.3390/app13031974
AL-Khulaidi NZahary AHazaa MNasser A(2023)Covert Channel Detection and Generation Techniques: A Survey2023 3rd International Conference on Emerging Smart Technologies and Applications (eSmarTA)10.1109/eSmarTA59349.2023.10293582(01-09)Online publication date: 10-Oct-2023
https://doi.org/10.1109/eSmarTA59349.2023.10293582
Show More Cited By

Index Terms

DGA and DNS Covert Channel Detection System based on Machine Learning
1. Security and privacy
  1. Network security
    1. Denial-of-service attacks

Recommendations

DNS covert channel detection method using the LSTM model
Highlights
- Introducing LSTM model to the detection of DNS cover channels using FQDNs.
- ...
Abstract
DNS is a kind of basic network protocol that is rarely blocked by firewalls; therefore, it is used to build covert channels. Malicious DNS covert channels play an important role in data exfiltration and botnets and do great harm to the ...
DGA-based botnets detection using DNS traffic mining
Abstract
Botnet is a network of infected workstations that are remotely managed by BotMaster via the command and control (C&C) server. Botnets pose a serious threat to network security since they are the source of a variety of malicious behaviors such as ...
DGA-based malware detection using DNS traffic analysis
RACS '19: Proceedings of the Conference on Research in Adaptive and Convergent Systems

A large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate ...

Comments

Information & Contributors

Information

Published In

CSAE '19: Proceedings of the 3rd International Conference on Computer Science and Application Engineering

October 2019

942 pages

ISBN:9781450362948

DOI:10.1145/3331453

Conference Chair:
Ali Emrouznejad,
Program Chair:
Zeshui Xu

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

the Fundamental Research Funds for the Central Universities
Key Lab of Information Network Security, Ministry of Public Security
Special fund on education and teaching reform of Besti
key laboratory of network assessment technology of Institute of Information Engineering, Chinese Academy of Sciences
the National Key Research and Development Plan

Conference

CSAE 2019

CSAE 2019: The 3rd International Conference on Computer Science and Application Engineering

October 22 - 24, 2019

Sanya, China

Acceptance Rates

Overall Acceptance Rate 368 of 770 submissions, 48%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
232
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Khadse MDakhane D(2024)A Review on Network Covert Channel Construction and Attack DetectionConcurrency and Computation: Practice and Experience10.1002/cpe.831637:1Online publication date: 26-Oct-2024
https://doi.org/10.1002/cpe.8316
Sui ZShu HKang FHuang YHuo G(2023)A Comprehensive Review of Tunnel Detection on Multilayer Protocols: From Traditional to Machine Learning ApproachesApplied Sciences10.3390/app1303197413:3(1974)Online publication date: 3-Feb-2023
https://doi.org/10.3390/app13031974
AL-Khulaidi NZahary AHazaa MNasser A(2023)Covert Channel Detection and Generation Techniques: A Survey2023 3rd International Conference on Emerging Smart Technologies and Applications (eSmarTA)10.1109/eSmarTA59349.2023.10293582(01-09)Online publication date: 10-Oct-2023
https://doi.org/10.1109/eSmarTA59349.2023.10293582
Zou FRen YZhu JTang J(2021)Detecting Data Leakage in DNS Traffic based on Time Series Anomaly Detection2021 IEEE 23rd Int Conf on High Performance Computing & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00090(503-510)Online publication date: Dec-2021
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00090
Jiang YJia MZhang BDeng L(2021)Malicious Domain Name Detection Model Based on CNN-GRU-Attention2021 33rd Chinese Control and Decision Conference (CCDC)10.1109/CCDC52312.2021.9602373(1602-1607)Online publication date: 22-May-2021
https://doi.org/10.1109/CCDC52312.2021.9602373
Truong TDiep QZelinka I(2020)Artificial Intelligence in the Cyber Domain: Offense and DefenseSymmetry10.3390/sym1203041012:3(410)Online publication date: 4-Mar-2020
https://doi.org/10.3390/sym12030410

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

DNS covert channel detection method using the LSTM model

DGA-based botnets detection using DNS traffic mining

DGA-based malware detection using DNS traffic analysis

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations