Behavior Analysis based DNS Tunneling Detection and Classification with Big Data Technologies

Bin Yu, Femi Olumofin, Les Smith, Mark Threefoot

Abstract

Domain Name System (DNS) is ubiquitous in any network. DNS tunnelling is a technique to transfer data, convey messages or conduct TCP activities over DNS protocol that is typically not blocked or watched by security enforcement such as firewalls. As a technique, it can be utilized in many malicious ways which can compromise the security of a network by the activities of data exfiltration, cyber-espionage, and command and control. On the other side, it can also be used by legitimate users. The traditional methods may not be able to distinguish between legitimate and malicious uses even if they can detect the DNS tunnelling activities. We propose a behaviour analysis based method that can not only detect the DNS tunnelling, but also classify the activities in order to catch and block the malicious tunnelling traffic. The proposed method can achieve the scale of real-time detection on fast and large DNS data with the use of big data technologies in offline training and online detection systems.

References

  1. Farnham, G., Atlasis, A., 2013. Detecting DNS tunneling, SANS Institute InfoSec Reading Room.
  2. Wong, M., 2006. Sender policy framework (SPF) for authorizing use of domains in e-mail, version 1, Retrieved from http://tools.ietf.org/html/rfc4408.
  3. Yu, B., Smith, L., Threefoot, M., 2014. Semi-supervised time series modeling for real-time flux domain detection on passive DNS traffic, in the 10th International Conference on Data Mining and Machine Learning, St. Petersburg, Russia, pp. 258-271.
  4. Vixie, P., 1999. Extension mechanisms for DNS (EDNS0), Retrieved from http://www.ietf.org/rfc/rfc2 671.txt.
  5. Borders, K., Prakash, A., 2004. Web Tap: detecting covert web traffic, in Proceedings of the 11th ACM conference on Conputer and Communications Security, New York, pp. 110-120.
  6. Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L., 2007. Detecting HTTP tunnels with statistical mechanisms, in IEEE International Conference on Communications, pp. 6162-6168.
  7. Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L., 2008. Detection of encrypted tunnels across network boundaries, in Proceedings of the 43rd IEEE International Conference on Communications, Beijing China, pp. 19-23.
  8. Dusi, M., Gringoli, F., Salgarelli, L., 2008. A preliminary look at the privacy of SSH tunnels, in Proceedings of the 17th IEEE International Conference on Computer Communications and Networks, St. Thomas, U.S. Virgin Islands.
  9. Hind, J., 2009. Catching DNS tunnels with AI, in Proceedings of DefCon 17, Las Vegas, Nevada.
  10. Born, K., Gustafson, D., 2010. Detecting DNS tunnels using character frequency analysis, in Proceedings of the 9th Annual Security Conference, Las Vegas, NV.
  11. Ellens, W., Zuraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E., 2013. Flow-based detection of DNS tunnels, in Emerging Management Mechanisms for the Future Internet, Lecture Notes in Computer Science, Volume 7943, pp 124-135.
  12. Shannon, C., 1948. A Mathematical Theory of Communication, Bell System Technical Journal, Vol. 27, pp. 379-423, 623-656.
  13. Google, http://storage.googleapis.com/books/ngrams/book s/datasetsv2.html.
Download


Paper Citation


in Harvard Style

Yu B., Smith L., Olumofin F. and Threefoot M. (2016). Behavior Analysis based DNS Tunneling Detection and Classification with Big Data Technologies . In Proceedings of the International Conference on Internet of Things and Big Data - Volume 1: IoTBD, ISBN 978-989-758-183-0, pages 284-290. DOI: 10.5220/0005795002840290


in Bibtex Style

@conference{iotbd16,
author={Bin Yu and Les Smith and Femi Olumofin and Mark Threefoot},
title={Behavior Analysis based DNS Tunneling Detection and Classification with Big Data Technologies},
booktitle={Proceedings of the International Conference on Internet of Things and Big Data - Volume 1: IoTBD,},
year={2016},
pages={284-290},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005795002840290},
isbn={978-989-758-183-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Internet of Things and Big Data - Volume 1: IoTBD,
TI - Behavior Analysis based DNS Tunneling Detection and Classification with Big Data Technologies
SN - 978-989-758-183-0
AU - Yu B.
AU - Smith L.
AU - Olumofin F.
AU - Threefoot M.
PY - 2016
SP - 284
EP - 290
DO - 10.5220/0005795002840290