skip to main content
10.1145/3465481.3470089acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Network Flow Entropy for Identifying Malicious Behaviours in DNS Tunnels

Published: 17 August 2021 Publication History

Abstract

In this paper, we propose the concept of ”entropy of a flow” to augment flow statistical features for identifying malicious behaviours in DNS tunnels, specifically DNS over HTTPS traffic. In order to achieve this, we explore the use of three flow exporters, namely Argus, DoHlyzer and Tranalyzer2 to extract flow statistical features. We then augment these features using different ways of calculating the entropy of a flow. To this end, we investigate three entropy calculation approaches: Entropy over all packets of a flow, Entropy over the first 96 bytes of a flow, and Entropy over the first n-packets of a flow. We evaluate five machine learning classifiers, namely Decision Tree, Random Forest, Logistic Regression, Support Vector Machine and Naive Bayes using these features in order to identify malicious behaviours in different publicly available datasets. The evaluations show that the Decision Tree classifier achieves an F-measure of 99.7% when flow statistical features are augmented with entropy of a flow calculated over the first 4 packets.

References

[1]
2000-2011. Argus. Retrieved September, 2020 from https://openargus.org/using-argus
[2]
2019. DoHlyzer. Retrieved October, 2020 from https://github.com/ahlashkari/DoHlyzer
[3]
2019. DoHMeter. Retrieved October, 2020 from https://github.com/ahlashkari/DOHlyzer/tree/master/DoHMeter
[4]
2019. IMPACT. Retrieved March 6, 2021 from https://www.impactcybertrust.org
[5]
2019. Tranalyzer. Retrieved September, 2020 from https://tranalyzer.com
[6]
Jawad Ahmed, Hassan Habibi Gharakheili, Qasim Raza, Craig Russell, and Vijay Sivaraman. 2019. Real-Time Detection of DNS Exfiltration and Tunneling from Enterprise Networks. In IFIP/IEEE International Symposium on Integrated Network Management, IM 2019, Washington, DC, USA, April 09-11, 2019, Joe Betser, Carol J. Fung, Alex Clemm, Jérôme François, and Shingo Ata (Eds.). IFIP, 649–653. http://ieeexplore.ieee.org/document/8717806
[7]
Przemyslaw Berezinski, Józef Pawelec, Marek Malowidzki, and Rafal Piotrowski. 2014. Entropy-Based Internet Traffic Anomaly Detection: A Case Study. In Proceedings of the Ninth International Conference on Dependability and Complex Systems DepCoS-RELCOMEX. June 30 - July 4, 2014, Brunów, Poland(Advances in Intelligent Systems and Computing, Vol. 286), Wojciech Zamojski, Jacek Mazurkiewicz, Jaroslaw Sugier, Tomasz Walkowiak, and Janusz Kacprzyk (Eds.). Springer, 47–58. https://doi.org/10.1007/978-3-319-07013-1_5
[8]
Laurent Bernaille and Renata Teixeira. 2007. Early Recognition of Encrypted Applications. In Passive and Active Network Measurement, 8th Internatinoal Conference, PAM 2007, Louvain-la-neuve, Belgium, April 5-6, 2007, Proceedings(Lecture Notes in Computer Science, Vol. 4427), Steve Uhlig, Konstantina Papagiannaki, and Olivier Bonaventure (Eds.). Springer, 165–175. https://doi.org/10.1007/978-3-540-71617-4_17
[9]
Timm Böttger, Félix Cuadrado, Gianni Antichi, Eder Leão Fernandes, Gareth Tyson, Ignacio Castro, and Steve Uhlig. 2019. An Empirical Study of the Cost of DNS-over-HTTPS. In Proceedings of the Internet Measurement Conference, IMC 2019, Amsterdam, The Netherlands, October 21-23, 2019. ACM, 15–21. https://doi.org/10.1145/3355369.3355575
[10]
Stefan Burschka and Benoît Dupasquier. 2016. Tranalyzer: Versatile high performance network traffic analyser. In 2016 IEEE Symposium Series on Computational Intelligence, SSCI 2016, Athens, Greece, December 6-9, 2016. IEEE, 1–8. https://doi.org/10.1109/SSCI.2016.7849909
[11]
Adam J. Campbell and Nur Zincir-Heywood. 2020. Exploring Tunneling Behaviours in Malicious Domains With Self-Organizing Maps. In 2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020, Canberra, Australia, December 1-4, 2020. IEEE, 1419–1426. https://doi.org/10.1109/SSCI47803.2020.9308499
[12]
Anirban Das, Min-Yi Shen, Madhu Shashanka, and Jisheng Wang. 2017. Detection of Exfiltration and Tunneling over DNS. In 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017, Cancun, Mexico, December 18-21, 2017, Xuewen Chen, Bo Luo, Feng Luo, Vasile Palade, and M. Arif Wani (Eds.). IEEE, 737–742. https://doi.org/10.1109/ICMLA.2017.00-71
[13]
Peter Dorfinger. 2010. Real-Time Detection of Encrypted Traffic based on Entropy Estimation. Master’s thesis. Salzburg University of Applied Sciences.
[14]
Claude E.Shannon. 1951. Prediction and entropy of printed English. Bell system technical journal 30 (Jan. 1951), 50–64. Issue 1.
[15]
Tyrell Fawcett. 2010. ExFILD: a tool for the detection of data exfiltration using entropy and encryption characteristics of network traffic. Master’s thesis. University of Delaware.
[16]
Fariba Haddadi and A. Nur Zincir-Heywood. 2016. Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification. IEEE Syst. J. 10, 4 (2016), 1390–1401. https://doi.org/10.1109/JSYST.2014.2364743
[17]
Drew Hjelm. 2019. A New Needle and Haystack: Detecting DNS over HTTPS Usage. Retrieved May 10, 2021 from https://www.sans.org/reading-room/whitepapers/dns/needle-haystack-detecting-dns-https-usage-39160
[18]
Arash Habibi Lashkari Iman Sharafaldinand Ali A. Ghorbani. 2017. CIC-IDS 2017. Retrieved March 5, 2021 from https://www.unb.ca/cic/datasets/ids-2017.html
[19]
Sara Khanchi, Ali Vahdat, Malcolm I. Heywood, and A. Nur Zincir-Heywood. 2018. On botnet detection with genetic programming under streaming data label budgets and class imbalance. Swarm Evol. Comput. 39(2018), 123–140. https://doi.org/10.1016/j.swevo.2017.09.008
[20]
Anukool Lakhina, Mark Crovella, and Christophe Diot. 2005. Mining anomalies using traffic feature distributions. In Proceedings of the ACM SIGCOMM 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Philadelphia, Pennsylvania, USA, August 22-26, 2005, Roch Guérin, Ramesh Govindan, and Greg Minshall(Eds.). ACM, 217–228. https://doi.org/10.1145/1080091.1080118
[21]
Duc C. Le and A. Nur Zincir-Heywood. 2020. A Frontier: Dependable, Reliable and Secure Machine Learning for Network/System Management. J. Netw. Syst. Manag. 28, 4 (2020), 827–849. https://doi.org/10.1007/s10922-020-09512-5
[22]
Duc C. Le, A. Nur Zincir-Heywood, and Malcolm I. Heywood. 2016. Data analytics on network traffic flows for botnet behaviour detection. In 2016 IEEE Symposium Series on Computational Intelligence, SSCI 2016, Athens, Greece, December 6-9, 2016. IEEE, 1–7. https://doi.org/10.1109/SSCI.2016.7850078
[23]
Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Hai-Xin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, and Jianping Wu. 2019. An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?. In Proceedings of the Internet Measurement Conference, IMC 2019, Amsterdam, The Netherlands, October 21-23, 2019. ACM, 22–35. https://doi.org/10.1145/3355369.3355580
[24]
Mohammadreza MontazeriShatoori, Logan Davidson, Gurdip Kaur, and Arash Habibi Lashkari. 2020. Detection of DoH Tunnels using Time-series Classification of Encrypted Traffic. In IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress, DASC/PiCom/CBDCom/CyberSciTech 2020, Calgary, AB, Canada, August 17-22, 2020. IEEE, 63–70. https://doi.org/10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00026
[25]
[Online]. 2020. CIRA-CIC-DoHBrw-2020. Retrieved October 10, 2020 from https://www.unb.ca/cic/datasets/dohbrw-2020.html
[26]
Fannia Pacheco, Ernesto Exposito, Mathieu Gineste, Cédric Baudoin, and José Aguilar. 2019. Towards the Deployment of Machine Learning Solutions in Network Traffic Classification: A Systematic Survey. IEEE Commun. Surv. Tutorials 21, 2 (2019), 1988–2014. https://doi.org/10.1109/COMST.2018.2883147
[27]
Michael Seufert, Raimund Schatz, Nikolas Wehner, Bruno Gardlo, and Pedro Casas. 2019. Is QUIC becoming the New TCP? On the Potential Impact of a New Protocol on Networked Multimedia QoE. In 11th International Conference on Quality of Multimedia Experience QoMEX 2019, Berlin, Germany, June 5-7, 2019. IEEE, 1–6. https://doi.org/10.1109/QoMEX.2019.8743223
[28]
Khalid Shahbar and A. Nur Zincir-Heywood. 2018. How far can we push flow analysis to identify encrypted anonymity network traffic?. In 2018 IEEE/IFIP Network Operations and Management Symposium, NOMS 2018, Taipei, Taiwan, April 23-27, 2018. IEEE, 1–6. https://doi.org/10.1109/NOMS.2018.8406156
[29]
Iman Sharafaldin, Arash Habibi Lashkari, and Ali A. Ghorbani. 2018. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, Funchal, Madeira - Portugal, January 22-24, 2018, Paolo Mori, Steven Furnell, and Olivier Camp (Eds.). SciTePress, 108–116. https://doi.org/10.5220/0006639801080116
[30]
Sunil Kumar Singh and Pradeep Kumar Roy. 2020. Detecting Malicious DNS over HTTPS Traffic Using Machine Learning. (2020). https://doi.org/10.1109/3ICT51146.2020.9312004
[31]
Georgia Tech. 2020. GT Malware Passive DNS Data Daily Feed. Retrieved March 6, 2021 from http://dx.doi.org/10.23721/102/1354027

Cited By

View all
  • (2024)MFC-DoH: DoH Tunnel Detection Based on the Fusion of MAML and F-CNNProceedings of the 21st ACM International Conference on Computing Frontiers10.1145/3649153.3649207(267-275)Online publication date: 7-May-2024
  • (2023)DoH Tunneling Traffic Detection Based on Single Packet Features AnalysisProceedings of the 2023 12th International Conference on Networks, Communication and Computing10.1145/3638837.3638861(57-63)Online publication date: 15-Dec-2023
  • (2023)Malicious encrypted network traffic flow detection using enhanced optimal deep feature selection with DLSTMInternational Journal of Modeling, Simulation, and Scientific Computing10.1142/S179396232450011915:01Online publication date: 19-Jul-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security
August 2021
1447 pages
ISBN:9781450390514
DOI:10.1145/3465481
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Cyber security
  2. DNS tunnels
  3. HTTPS tunnels
  4. Machine Learning
  5. Network Flow Entropy

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ARES 2021

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)56
  • Downloads (Last 6 weeks)2
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)MFC-DoH: DoH Tunnel Detection Based on the Fusion of MAML and F-CNNProceedings of the 21st ACM International Conference on Computing Frontiers10.1145/3649153.3649207(267-275)Online publication date: 7-May-2024
  • (2023)DoH Tunneling Traffic Detection Based on Single Packet Features AnalysisProceedings of the 2023 12th International Conference on Networks, Communication and Computing10.1145/3638837.3638861(57-63)Online publication date: 15-Dec-2023
  • (2023)Malicious encrypted network traffic flow detection using enhanced optimal deep feature selection with DLSTMInternational Journal of Modeling, Simulation, and Scientific Computing10.1142/S179396232450011915:01Online publication date: 19-Jul-2023
  • (2023)Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic AnalysisIEEE Transactions on Network and Service Management10.1109/TNSM.2022.321568120:2(2086-2095)Online publication date: 1-Jun-2023
  • (2023)PACLASS: A Lightweight Classification Framework on DNS-Over-HTTPSICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10279398(3805-3810)Online publication date: 28-May-2023
  • (2023)Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis2023 IEEE 20th Consumer Communications & Networking Conference (CCNC)10.1109/CCNC51644.2023.10059835(224-229)Online publication date: 8-Jan-2023
  • (2022)PicP-MUD: Profiling Information Content of Payloads in MUD Flows for IoT Devices2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM)10.1109/WoWMoM54355.2022.00081(521-526)Online publication date: Jun-2022
  • (2022)A security model for DNS tunnel detection on cloud platform2022 Workshop on Communication Networks and Power Systems (WCNPS)10.1109/WCNPS56355.2022.9969715(1-6)Online publication date: 17-Nov-2022
  • (2022)DNS tunnels detection via DNS-imagesInformation Processing and Management: an International Journal10.1016/j.ipm.2022.10293059:3Online publication date: 1-May-2022

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media