Flow-based detection of DNS tunnels

Flow-based detection of DNS tunnels

Ellens, W.
Zuraniewski, P.W.
Sperotto, A.
Schotanus, H.A.
Mandjes, M.
Meeuwissen, H.B.

Doyen, G. (editor)
Waldburger, M. (editor)

2013

DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios. © 2013 IFIP International Federation for Information Processing.

Communication & Information
PNS - Performance of Networks & Services ; ISEC - Information Security
TS - Technical Sciences
Infrastructures
Informatics
Information Society
Anomaly detection
Cyber security
DNS tunneling
network flows

http://resolver.tudelft.nl/uuid:a523169c-1001-41f3-ad68-6636e8409c5d

https://doi.org/10.1007/978-3-642-38998-6_16

474973

Springer, Berlin

9783642389979

0302-9743

Emerging Management Mechanisms for the Future Internet. 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, 25-28 June 2013, Barcelona, Spain, 124-135

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

bookPart