3/2021 - 5 |
Deep Learning Based DNS Tunneling Detection and Blocking SystemALTUNCU, M. A. , GULAGIZ, F. K. , OZCAN, H. , BAYIR, O. F. , GEZGIN, A. , NIYAZOV, A. , CAVUSLU, M. A. , SAHIN, S. |
Extra paper information in |
Click to see author's profile in SCOPUS, IEEE Xplore, Web of Science |
Download PDF (4,081 KB) | Citation | Downloads: 1,285 | Views: 2,692 |
Author keywords
artificial neural networks, computer networks, domain name system, intrusion detection, machine learning
References keywords
tunneling(12), learning(10), detection(9), networks(7), information(7), security(6), machine(6), data(6), science(5), technology(4)
Blue keywords are present in both the references section and the paper title.
About this article
Date of Publication: 2021-08-31
Volume 21, Issue 3, Year 2021, On page(s): 39 - 48
ISSN: 1582-7445, e-ISSN: 1844-7600
Digital Object Identifier: 10.4316/AECE.2021.03005
Web of Science Accession Number: 000691632000005
SCOPUS ID: 85114771421
Abstract
The main purpose of DNS is to convert domain names into IPs. Due to the inadequate precautions taken for the security of DNS, it is used for malicious communication or data leakage. Within the scope of this study, a real-time deep network-based system is proposed on live networks to prevent the common DNS tunneling threats over DNS. The decision-making capability of the proposed system at the instant of threat on a live system is the particular feature of the study. Networks trained with various deep network topologies by using the data from Alexa top 1 million sites were tested on a live network. The system was integrated to the network during the tests to prevent threats in real-time. The result of the tests reveal that the threats were blocked with success rate of 99.91%. Obtained results confirm that we can block almost all tunnel attacks over DNS protocol. In addition, the average time to block each tunneled package was calculated to be 0.923 ms. This time clearly demonstrates that the network flow will not be affected, and no delay will be experienced in the operation of our system in real-time. |
References | | | Cited By «-- Click to see who has cited this paper |
[1] T. K. Skow, "Protection against DNS tunneling abuses on mobile networks," MSc Thesis, Norwegian University of Science and Technology, 2016.
[2] R. Chandramouli and S. Rose, "Secure domain name system (DNS) deployment guide," National Institute of Standards and Technology Special Publication, 2013. [CrossRef] [3] M. Sammour, B. Hussin and F. I. Othman, "Comparative Analysis for Detecting DNS Tunneling Using Machine Learning Techniques," International Journal of Applied Engineering Research, vol. 12, no. 22, pp. 12762-12766, 2017. [4] H. Onal, "DNS Tunelleme.," [Online] Available: Temporary on-line reference link removed - see the PDF document [5] S. Hangal, S. Narayanan, N. Chandra and S. Chakravorty, "IODINE: a tool to automatically infer dynamic invariants for hardware designs," in Proc. 42nd Design Automation Conference, 2005, Anaheim, CA, 2005, pp. 775-778. [CrossRef] [Web of Science Times Cited 64] [6] S. Yassine, J. Khalife, M. Chamoun et al., "A Survey of DNS Tunnelling Detection Techniques Using Machine Learning," in Proc. 1st International Conference on Big Data and Cyber-Security Intelligence, Hadath, Lebanon, 2018, pp. 63-66. [7] M. Al-kasassbeh, T. Khairallah, "Winning tactics with DNS tunneling," Network Security, vol. 2019, no. 12, pp.12-19, 2019. [CrossRef] [SCOPUS Times Cited 21] [8] A. Merlo, G. Papaleo, S. Veneziano, et al., "Comparative performance evaluation of DNS tunneling tools," in Proc. Computational Intelligence in Security for Information Systems, Torremolinos-Malaga, Spain, 2011, pp. 84-91. [CrossRef] [SCOPUS Times Cited 24] [9] G. Farnham and A. Atlasis, "Detecting DNS tunneling. SANS Institute InfoSec Reading Room," [Online] Available: Temporary on-line reference link removed - see the PDF document [10] M. Aiello, M. Mongelli and G. Papaleo, "Basic classifiers for DNS tunneling detection," in Proc. IEEE Symposium on Computers and Communications, Split, Croatia, 2013, pp. 880-885. [CrossRef] [SCOPUS Times Cited 33] [11] M. Aiello, M. Mongelli and G. Papaleo, "DNS tunneling detection through statistical fingerprints of protocol messages and machine learning," International Journal of Communication Systems, vol. 28, no. 14, pp. 1987-2002, 2015. [CrossRef] [Web of Science Times Cited 35] [SCOPUS Times Cited 48] [12] A. Almusawi and H. Amintoosi, "DNS Tunneling detection method based on multilabel support vector machine," Security and Communication Networks, vol. 2018, 2018. [CrossRef] [Web of Science Times Cited 28] [SCOPUS Times Cited 44] [13] J. Liu, S. Li and Y. Zhang, et al., "Detecting DNS tunnel through binary-classification based on behavior features," in Proc. IEEE Trustcom/BigDataSE/ICESS, Sydney, Australia, 2017, pp. 339-346. [CrossRef] [Web of Science Times Cited 30] [SCOPUS Times Cited 52] [14] A. L. Buczak, P. A. Hanke, G. J. Cancro, et al., "Detection of tunnels in PCAP data by random forests," in Proc. 11th Annual Cyber and Information Security Research Conference, USA, 2016, pp. 1-4. [CrossRef] [SCOPUS Times Cited 45] [15] E. Cambiaso, M. Aiello, M. Mongelli, et al., "Feature transformation and Mutual Information for DNS tunneling analysis," in Proc. Eighth International Conference on Ubiquitous and Future Networks, Vienna, Austria, 2016, pp. 957-959. [CrossRef] [SCOPUS Times Cited 14] [16] I. Homem, P. Papapetrou and S. Dosis, "Entropy-based prediction of network protocols in the forensic analysis of dns tunnels," arXiv, 2017. arXiv preprint arXiv:1709.06363. [17] A. Nadler, A. Aminov and A. Shabtai, "Detection of malicious and low throughput data exfiltration over the DNS protocol," Computers & Security, vol. 80, pp. 36-53, 2019. [CrossRef] [Web of Science Times Cited 61] [SCOPUS Times Cited 92] [18] M. Aiello, M. Mongelli, M. Muselli et al., "Unsupervised learning and rule extraction for Domain Name Server tunneling detection," Internet Technology Letters, vol. 2, no. 2, pp. 1-6, 2019. [CrossRef] [Web of Science Times Cited 5] [SCOPUS Times Cited 10] [19] Y. Bubnov, "DNS Tunneling Detection Using Feedforward Neural Network," European Journal of Engineering Research and Science, vol. 3, no. 11, pp. 16-19, 2018. [CrossRef] [20] T. V. Thuan, P. Engelstad and B. Feng, "Detection of DNS tunneling in mobile networks using machine learning," in Proc. International Conference on Information Science and Applications, Macau, China, 2017, pp. 221-230. [CrossRef] [Web of Science Times Cited 22] [SCOPUS Times Cited 32] [21] J. Ahmed, H. Gharakheili, Q. Raza, et al., "Monitoring Enterprise DNS Queries for Detecting Data Exfiltration from Internal Hosts," IEEE Transactions on Network and Service Management, vol. 17, no. 1, pp. 265-279, 2019. [CrossRef] [Web of Science Times Cited 23] [SCOPUS Times Cited 37] [22] Alexa, "The top 500 sites on the web," [Online] Available: Temporary on-line reference link removed - see the PDF document [23] J. Huang, Y. F. Li and M. Xie, "An empirical analysis of data preprocessing for machine learning-based software cost estimation," Information and software Technology, vol. 67, pp. 108-127, 2015. [CrossRef] [Web of Science Times Cited 117] [SCOPUS Times Cited 163] [24] D. Bollegala, "Dynamic feature scaling for online learning of binary classifiers," Knowledge-Based Systems, vol. 129, pp. 97-105, 2017. [CrossRef] [Web of Science Times Cited 29] [SCOPUS Times Cited 32] [25] A. Carrio, C. Sampedro, A. Rodriguez-Ramos, et al., "A review of deep learning methods and applications for unmanned aerial vehicles," Journal of Sensors, vol. 2017, pp. 1-13, 2017. [CrossRef] [Web of Science Times Cited 190] [SCOPUS Times Cited 273] [26] J. Lin, "Divergence measures based on the Shannon entropy," IEEE Transactions on Information Theory, vol. 37, no. 1, pp. 145-151, 1991. [CrossRef] [Web of Science Times Cited 2698] [SCOPUS Times Cited 3303] [27] S. Han, J. Pool, S. Narang, et al.,"Dsd: Dense-sparse-dense training for deep neural networks," in Proc. International Conference on Learning Representations (ICLR), France, 2017, pp 1-13. [28] G. E. Dahl, T. N. Sainath and G. E. Hinton, "Improving deep neural networks for LVCSR using rectified linear units and dropout," in Proc. IEEE International Conference On Acoustics, Speech And Signal Processing, British Columbia, Canada, 2013, pp. 8609-8613. [CrossRef] [SCOPUS Times Cited 1139] [29] D. Choi, C. J. Shallue, Z. Nado, et al., "On Empirical Comparisons of Optimizers for Deep Learning," 2019. arXiv preprint:1910.05446. [30] E. Seyyarer, T. Uckan, C. Hark, et al., "Applications and Comparisons of Optimization Algorithms Used in Convolutional Neural Networks," in Proc. International Artificial Intelligence and Data Processing Symposium, Malatya, Turkey, 2019, pp. 1-6. [CrossRef] [Web of Science Times Cited 3] [SCOPUS Times Cited 8] [31] B. Wang, K. Lu and P. Chang, "Design and implementation of Linux firewall based on the frame of Netfilter/Iptable," in Proc. 11th International Conference on Computer Science & Education, Japan, 2016, pp. 949-953. [CrossRef] [SCOPUS Times Cited 13] [32] L. F. Xuan and P. F. Wu, "The optimization and implementation of iptables rules set on linux," in Proc. 2nd International Conference on Information Science and Control Engineering, USA, 2015, pp. 988-991. [CrossRef] [Web of Science Record] [SCOPUS Times Cited 8] [33] R. Rohith, M. Moharir, and G. Shobha, "SCAPY-A powerful interactive packet manipulation program," in Proc. International Conference on Networking, Embedded and Wireless Systems, India, 2018, pp. 1-5. [CrossRef] [SCOPUS Times Cited 60] [34] L. Tomak and Y. Bek, "ISlem karakteristik egrisi analizi ve egri altinda kalan alanlarin karsilastirilmasi," Journal of Experimental and Clinical Medicine, vol. 27, no. 2, pp. 58-65, 2009. [CrossRef] Web of Science® Citations for all references: 3,305 TCR SCOPUS® Citations for all references: 5,451 TCR Web of Science® Average Citations per reference: 94 ACR SCOPUS® Average Citations per reference: 156 ACR TCR = Total Citations for References / ACR = Average Citations per Reference We introduced in 2010 - for the first time in scientific publishing, the term "References Weight", as a quantitative indication of the quality ... Read more Citations for references updated on 2024-11-15 00:59 in 172 seconds. Note1: Web of Science® is a registered trademark of Clarivate Analytics. Note2: SCOPUS® is a registered trademark of Elsevier B.V. Disclaimer: All queries to the respective databases were made by using the DOI record of every reference (where available). Due to technical problems beyond our control, the information is not always accurate. Please use the CrossRef link to visit the respective publisher site. |
Faculty of Electrical Engineering and Computer Science
Stefan cel Mare University of Suceava, Romania
All rights reserved: Advances in Electrical and Computer Engineering is a registered trademark of the Stefan cel Mare University of Suceava. No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from the Editor. When authors submit their papers for publication, they agree that the copyright for their article be transferred to the Faculty of Electrical Engineering and Computer Science, Stefan cel Mare University of Suceava, Romania, if and only if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.
Permission for other use: The copyright owner's consent does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific written permission must be obtained from the Editor for such copying. Direct linking to files hosted on this website is strictly prohibited.
Disclaimer: Whilst every effort is made by the publishers and editorial board to see that no inaccurate or misleading data, opinions or statements appear in this journal, they wish to make it clear that all information and opinions formulated in the articles, as well as linguistic accuracy, are the sole responsibility of the author.