A DNS Tunneling Detection Method Based on Deep Learning Models to Prevent Data Exfiltration

Zhang, J; Yang, L; Yu, S; Ma, J

A DNS Tunneling Detection Method Based on Deep Learning Models to Prevent Data Exfiltration

Zhang, J Yang, L Yu, S

Ma, J

Permalink

Publisher:: Springer International Publishing
Publication Type:: Conference Proceeding
Citation:: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2019, 11928 LNCS, pp. 520-535
Issue Date:: 2019-01-01

Closed Access

	Filename	Description	Size
	Zhang2019_Chapter_ADNSTunnelingDetectionMethodBa.pdf	Published version	1.33 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Zhang, J
dc.contributor.author	Yang, L
dc.contributor.author	Yu, S https://orcid.org/0000-0003-4485-6743
dc.contributor.author	Ma, J
dc.date.accessioned	2020-06-20T23:39:33Z
dc.date.available	2020-06-20T23:39:33Z
dc.date.issued	2019-01-01
dc.identifier.citation	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2019, 11928 LNCS, pp. 520-535
dc.identifier.isbn	9783030369378
dc.identifier.issn	0302-9743
dc.identifier.issn	1611-3349
dc.identifier.uri	http://hdl.handle.net/10453/141592
dc.description.abstract	© 2019, Springer Nature Switzerland AG. DNS tunneling is a typical DNS attack that has been used for stealing information for many years. The stolen data is encoded and encapsulated into the DNS request to evade intrusion detection. The popular detection methods of machine learning use features, such as network traffic and DNS behavior. However, most features can only be extracted when data exfiltration occurs, like time-frequency related features. The key to prevent data exfiltration based on DNS tunneling is to detect the malicious query from single DNS request. Since we don’t use the network traffic features and DNS behavior features, our method can detect DNS tunneling before data exfiltration. In this paper, we propose a detection method based on deep learning models, which uses the DNS query payloads as predictive variables in the models. As the DNS tunneling data is a kind of text, our approach use word embedding as a part of fitting the neural networks, which is a feature extraction method in natural language processing (NLP). In order to achieve high performance, the detection decision is made by these common deep learning models, including dense neural network (DNN), one-dimensional convolutional neural network (1D-CNN) and recurrent neural network (RNN). We implement the DNS tunneling detection system in the real network environment. The results show that our approach achieves 99.90% accuracy and is more secure than existing methods.
dc.language	en
dc.publisher	Springer International Publishing
dc.relation.ispartof	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
dc.relation.isbasedon	10.1007/978-3-030-36938-5_32
dc.rights	info:eu-repo/semantics/restrictedAccess
dc.subject.classification	Artificial Intelligence & Image Processing
dc.title	A DNS Tunneling Detection Method Based on Deep Learning Models to Prevent Data Exfiltration
dc.type	Conference Proceeding
utslib.citation.volume	11928 LNCS
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney
utslib.copyright.status	closed_access	*
dc.date.updated	2020-06-20T23:39:29Z
pubs.publication-status	Published
pubs.volume	11928 LNCS

Abstract:

© 2019, Springer Nature Switzerland AG. DNS tunneling is a typical DNS attack that has been used for stealing information for many years. The stolen data is encoded and encapsulated into the DNS request to evade intrusion detection. The popular detection methods of machine learning use features, such as network traffic and DNS behavior. However, most features can only be extracted when data exfiltration occurs, like time-frequency related features. The key to prevent data exfiltration based on DNS tunneling is to detect the malicious query from single DNS request. Since we don’t use the network traffic features and DNS behavior features, our method can detect DNS tunneling before data exfiltration. In this paper, we propose a detection method based on deep learning models, which uses the DNS query payloads as predictive variables in the models. As the DNS tunneling data is a kind of text, our approach use word embedding as a part of fitting the neural networks, which is a feature extraction method in natural language processing (NLP). In order to achieve high performance, the detection decision is made by these common deep learning models, including dense neural network (DNN), one-dimensional convolutional neural network (1D-CNN) and recurrent neural network (RNN). We implement the DNS tunneling detection system in the real network environment. The results show that our approach achieves 99.90% accuracy and is more secure than existing methods.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/141592