skip to main content
10.1145/3649153.3649207acmconferencesArticle/Chapter ViewAbstractPublication PagescfConference Proceedingsconference-collections
research-article
Open access

MFC-DoH: DoH Tunnel Detection Based on the Fusion of MAML and F-CNN

Published: 02 July 2024 Publication History

Abstract

Domain Name System (DNS) tunnels, used by attackers to transmit sensitive information through plaintext DNS protocols, have garnered significant attention. In addressing the security concerns of DNS, the Internet Engineering Task Force (IETF) introduced the DNS-over-HTTPS (DoH) protocol in 2018, aiming to encrypt DNS data transmission and effectively safeguard user privacy. However, attackers cleverly conceal DNS tunnels within HTTPS using the DoH protocol, rendering traditional detection methods ineffective and resulting in numerous areas being impacted by malicious events. Although there are studies on DoH tunnel detection, few are concerned with DoH tunnel detection in few-shot scenarios. This paper proposes a novel method called MFC-DoH, based on the combination of Model-Agnostic Meta-Learning (MAML) and the unique CNN network(F-CNN) with the introduction of the frequency domain layer and multi-head attention layer(MHSA). We evaluate our method on the public dataset. Experimental results exhibit that our method significantly outperforms the existing approach in detecting DoH tunnels in few-shot scenarios.

References

[1]
Godlua Backdoor Analysis Report https://blog.netlab.360.com/an-analysis-of-godlua-backdoor/.
[2]
Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH) https://www.zdnet.com/article/iranian-hacker-group-becomes-first-known-apt-to-weaponize-dns-over-https-doh/.
[3]
Cyclops Blink Sets Sights on Asus Routers https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
[4]
S. García, K. Hynek, D. Vekshin, T. Čejka, and A. Wasicek, "Large scale measurement on the adoption of encrypted DNS" 2021,arXiv:2107.04436.
[5]
C. Deccio and J. Davis, "DNS privacy in practice and preparation," in Proc. 15th Int. Conf. Emerg. Netw. Exp. Technol. New York, NY, USA: ACM, Dec. 2019, pp. 138--143.
[6]
Chelsea Finn, Pieter Abbeel, and Sergey Levine. Model-agnostic meta-learning for fast adaptation of deep networks. In International conference on machine learning, pages 1126--1135. PMLR, 2017.
[7]
Liu X, Mao W, Wang A, et al. DNS Tunnel Detection for Low Throughput Data Exfiltration via Time-Frequency Domain Analysis[C]//ICC 2023-IEEE International Conference on Communications. IEEE, 2023: 2331--2337.
[8]
Dmitrii Vekshin, Karel Hynek, and Tomas Cejka. 2020. DoH Insight: detecting DNS over HTTPS by machine learning. In Proceedings of the 15th International Conference on Availability, Reliability and Security (ARES '20). Association for Computing Machinery, New York, NY, USA, Article 87, 1--8. https://doi.org/10.1145/3407023.3409192.
[9]
MontazeriShatoori M, Davidson L, Kaur G, et al. Detection of doh tunnels using time-series classification of encrypted traffic[C]//2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech). IEEE, 2020: 63--70.
[10]
Mitsuhashi R, Satoh A, Jin Y, et al. Identifying malicious dns tunnel tools from doh traffic using hierarchical machine learning classification[C]//Information Security: 24th International Conference, ISC 2021, Virtual Event, November 10-12, 2021, Proceedings 24. Springer International Publishing, 2021: 238--256.
[11]
S. K. Singh and P. K. Roy, Detecting Malicious DNS over HTTPS Traffic Using Machine Learning, 2020 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT), 2020, pp. 1--6.
[12]
Yulduz Khodjaeva and Nur Zincir-Heywood. Network Flow Entropy for Identifying Malicious Behaviours in DNS Tunnels. In The 16th International Conference on Availability, Reliability, and Security (ARES 2021). Association for Computing Machinery, New York, NY, USA, Article 72, 1--7. https://doi.org/10.1145/3465481.3470089, 2021.
[13]
Zebin T, Rezvy S, Luo Y. An explainable AI-based intrusion detection system for DNS over HTTPS (DoH) attacks[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 2339--2349.
[14]
Ding S, Zhang D, Ge J, et al. Encrypt DNS traffic: automated feature learning method for detecting DNS tunnels[C]//2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom). IEEE, 2021: 352--359.
[15]
Nguyen T A, Park M. Doh tunneling detection system for enterprise network using deep learning technique[J]. Applied Sciences, 2022, 12(5): 2416.
[16]
M. Zhan, Y. Li, G. Yu, et al. Detecting DNS over HTTPS based data exfiltration, Computer Network, vol. 209, May 2022, Art. no. 108919.
[17]
Dnscat2, https://github.com/iagox86/dnscat2
[18]
DNS2TCP, http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en.
[19]
Iodine, http://code.kryo.se/iodine/.
[20]
DNStt, https://github.com/Mygod/dnstt
[21]
Tcp-over-dns, https://analogbit.com/software/tcp-over-dns/
[22]
TUNS, https://github.com/lnussbaum/tuns
[23]
Banadaki, Yaser M., and S. Robert. "Detecting malicious dns over https traffic in domain name system using machine learning classifiers." Journal of Computer Sciences and Applications 8.2 (2020): 46--55.
[24]
F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg et al., "Scikit-learn: Machine learning in Python," the Journal of machine Learning research, vol. 12, pp. 2825--2830, 2011.
[25]
C. Xu, J. Shen, and X. Du, "A method of few-shot network intrusion detection based on meta-learning framework," IEEE Transactions on Information F orensics and Security, vol. 15, pp. 3540--3552, 2020.
[26]
Feng T, Qi Q, Wang J, et al. Few-Shot Class-Adaptive Anomaly Detection with Model-Agnostic Meta-Learning[C]//2021 IFIP Networking Conference (IFIP Networking). IEEE, 2021: 1--9.
[27]
Shi Z, Xing M, Zhang J, et al. Few-Shot Network Intrusion Detection Based on Model-Agnostic Meta-Learning with L2F Method[C]//2023 IEEE Wireless Communications and Networking Conference (WCNC). IEEE, 2023: 1--6.

Cited By

View all
  • (2025)MTL-DoHTA: Multi-Task Learning-Based DNS over HTTPS Traffic Analysis for Enhanced Network SecuritySensors10.3390/s2504099325:4(993)Online publication date: 7-Feb-2025

Index Terms

  1. MFC-DoH: DoH Tunnel Detection Based on the Fusion of MAML and F-CNN

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CF '24: Proceedings of the 21st ACM International Conference on Computing Frontiers
    May 2024
    345 pages
    ISBN:9798400705977
    DOI:10.1145/3649153
    This work is licensed under a Creative Commons Attribution International 4.0 License.

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 02 July 2024

    Check for updates

    Author Tags

    1. Anomaly Detection
    2. Data Exfiltration
    3. DoH Tunnel
    4. MAML

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    CF '24
    Sponsor:

    Acceptance Rates

    CF '24 Paper Acceptance Rate 33 of 105 submissions, 31%;
    Overall Acceptance Rate 273 of 785 submissions, 35%

    Upcoming Conference

    CF '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)215
    • Downloads (Last 6 weeks)59
    Reflects downloads up to 11 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)MTL-DoHTA: Multi-Task Learning-Based DNS over HTTPS Traffic Analysis for Enhanced Network SecuritySensors10.3390/s2504099325:4(993)Online publication date: 7-Feb-2025

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media