Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol

  title={Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol},
  author={Asaf Nadler and Avi Aminov and Asaf Shabtai},

DNS Covert Channel Detection via Behavioral Analysis: a Machine Learning Approach

The proposed solution has been evaluated over a 15-day-long experimental session with the injection of traffic that covers the most relevant exfiltration and tunneling attacks: all the malicious variants were detected, while producing a low false-positive rate during the same period.

Monitoring Enterprise DNS Queries for Detecting Data Exfiltration From Internal Hosts

This paper develops and evaluates a real-time mechanism for detecting exfiltration and tunneling of data over DNS, unlike prior solutions that operate off-line or in the network core, that works in real- time at the enterprise edge.

Lightweight Hybrid Detection of Data Exfiltration using DNS based on Machine Learning

A two-layered hybrid approach that uses a set of well-defined features to detect low and slow data exfiltration and tunneling over DNS, which could be embedded into existing stateless-based detection systems to extend their capabilities in identifying advanced attacks.

DNS Tunneling Detection by Cache-Property-Aware Features

This study proposes a DNS tunneling detection method based on the cache-property-aware features and shows that one of the proposed features can efficiently characterize the DNS Tunneling traffic.

DNSxD: Detecting Data Exfiltration Over DNS

This paper addresses the issue of DNS-based data exfiltration proposing a detection and mitigation method leveraging the Software-Defined Network (SDN) architecture and presents the DNSxD application, which is presented and its performance evaluated in comparison with the current ex filtration detection mechanisms.

MORTON: Detection of Malicious Routines in Large-Scale DNS Traffic

The results demonstrate that while MORTON's accuracy is comparable to that of the two systems for beaconing detection, it outperforms the systems in terms of its ability to detect sophisticated bot communication techniques such as multi-stage channels, as well as its robustness and efficiency.

An Analysis of the Use of DNS for Malicious Payload Distribution

  • Ishmael DubeG. Wells
  • Computer Science
    2020 2nd International Multidisciplinary Information Technology and Engineering Conference (IMITEC)
  • 2020
This research undertaking analysed the use of the DNS in detecting domains and channels that are used for distributing malicious payloads and found that it is possible to detect malicious payload distribution channels through the analysis of DNS TXT resource records.

Cache-Property-Aware Features for DNS Tunneling Detection

The extensive experiments show that one of the proposed features can clearly distinguish DNS tunneling traffic, which makes it useful to design and implement a solid DNS firewall against DNS tunneled traffic.

A DNS Tunneling Detection Method Based on Deep Learning Models to Prevent Data Exfiltration

This method can detect DNS tunneling before data exfiltration, which is to detect the malicious query from single DNS request.



An approach towards anomaly based detection and profiling covert TCP/IP channels

This work will explore the approach of combining anomaly based detection and covert channel profiling to be used for detecting a very precise subset of covert storage channels in network protocols, and describe a specialized tool to passively monitor networks for these types of attacks.

Detection of malicious payload distribution channels in DNS

A system to analyze the resource record activities of domain names and build DNS zone profiles to detect payload distribution channels and reveal a few previously unreported long-running hidden domains used by the Morto worm for distributing malicious payloads is presented.

Detection of DNS Based Covert Channels

This work shows that freely available covert DNS tools have particular traffic signatures that can be detected in order to mitigate data exfiltration and C&C traffic and created a test bed system that uses a covert DNS channel to exfiltrate data from a compromised host.

ProVeX: Detecting Botnets with Encrypted Command and Control Channels

The proposed ProVex is a system that automatically derives probabilistic vectorized signatures for fields in the C&C protocol by evaluating byte probabilities in C &C input traces used for training, and can detect all studied malware families, most of which are not detectable with traditional means.

Entropy-based Prediction of Network Protocols in the Forensic Analysis of DNS Tunnels

This paper analyzes the internal packet structure of DNS tunneling techniques and characterize the information entropy of different network protocols and their DNS tunneled equivalents and presents a protocol prediction method that uses entropy distribution averaging.

Detection of DNS Tunneling in Mobile Networks Using Machine Learning

Two machine learning techniques, namely One Class Support Vector Machine (OCSVM) and K-Means are experimented and the results prove that machineLearning techniques could yield quite efficient detection solutions.

Combating Malicious DNS Tunnel

The goal of DNS tunnel is to use DNS as a communication stack between the querier and the responder, which can be used for “command and control”, data exfiltration or tunneling of any internet protocol (IP) traffic.

Data Exfiltration Detection and Prevention: Virtually Distributed POMDPs for Practically Safer Networks

This work provides a fast scalable POMDP formulation to address the challenge of detecting data exfiltration over Domain Name System DNS queries, and provides a decision-theoretic technique that sequentially plans to accumulate evidence under uncertainty while taking into account the cost of deploying such sensors.

Behavior-based tracking: Exploiting characteristic patterns in DNS traffic

Detection of Tunnels in PCAP Data by Random Forests

This paper describes an approach for detecting the presence of domain name system (DNS) tunnels in network traffic using random forest classifiers to distinguish normal DNS activity from tunneling activity.