A DNS Tunneling Detection Method Based on Deep Learning Models to Prevent Data Exfiltration

Publisher:
Springer International Publishing
Publication Type:
Conference Proceeding
Citation:
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2019, 11928 LNCS, pp. 520-535
Issue Date:
2019-01-01
Filename Description Size
Zhang2019_Chapter_ADNSTunnelingDetectionMethodBa.pdfPublished version1.33 MB
Adobe PDF
Full metadata record
© 2019, Springer Nature Switzerland AG. DNS tunneling is a typical DNS attack that has been used for stealing information for many years. The stolen data is encoded and encapsulated into the DNS request to evade intrusion detection. The popular detection methods of machine learning use features, such as network traffic and DNS behavior. However, most features can only be extracted when data exfiltration occurs, like time-frequency related features. The key to prevent data exfiltration based on DNS tunneling is to detect the malicious query from single DNS request. Since we don’t use the network traffic features and DNS behavior features, our method can detect DNS tunneling before data exfiltration. In this paper, we propose a detection method based on deep learning models, which uses the DNS query payloads as predictive variables in the models. As the DNS tunneling data is a kind of text, our approach use word embedding as a part of fitting the neural networks, which is a feature extraction method in natural language processing (NLP). In order to achieve high performance, the detection decision is made by these common deep learning models, including dense neural network (DNN), one-dimensional convolutional neural network (1D-CNN) and recurrent neural network (RNN). We implement the DNS tunneling detection system in the real network environment. The results show that our approach achieves 99.90% accuracy and is more secure than existing methods.
Please use this identifier to cite or link to this item: