Abstract
The use of covert-channel methods to bypass security policies has increasing in the last years. Malicious users neutralize security restriction encapsulating protocols like peer-to-peer, chat or http proxy into other allowed protocols like DNS or HTTP. This paper illustrates different approaches to detect one particular covert channel technique: DNS tunneling.
Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. A performance evaluation shows the best approach to reach good results by resorting to a unique classification scheme, applicable in the presence of different tunnelled applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Dusi, M., Crotti, M., Gringoli, F., Salgarelli, L.: Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting. Computer Networks 53(1), 81–97 (2009)
Merlo, A., Papaleo, G., Veneziano, S., Aiello, M.: A comparative performance evaluation of dns tunneling tools. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 84–91. Springer, Heidelberg (2011)
Li, W., Canini, M., Moore, A.W., Bolla, R.: Efficient application identification and the temporal and spatial stability of classification schema. Elsevier Computer Network, 790–809 (2009)
Williams, N., Zander, S., Armitage, G.: A preliminary performance comparison of five machine learning algorithms for practical ip traffic flow classification. SIGCOMM Comput. Commun. Rev. 36(5), 5–16 (2006)
Moore, A.W., Zuev, D.: Internet traffic classification using bayesian analysis techniques. SIGMETRICS Perform. Eval. Rev. 33(1), 50–60 (2005)
Herrero, A., Navarro, M., Corchado, E., Julin, V.: Rt-movicab-ids: Addressing real-time intrusion detection. Future Generation Computer Systems 29(1), 250–261 (2013), Including Special section: AIRCC-NetCoM 2009 and Special section: Clouds and Service-Oriented Architectures
Aiello, M., Mongelli, M., Papaleo, G.: Basic classifiers for dns tunneling detection. In: 2013 IEEE Symposium on Computers and Communications (ISCC), pp. 000880–000885 (July 2013)
Kim, H., Huh, J.: Detecting dns-poisoning-based phishing attacks from their network performance characteristics. Electronics Letters 47(11), 656–658 (2011)
Brown, G.: Ensemble learning tutorial, http://www.cs.man.ac.uk/~gbrown/ensemblebib/tutorials.php (accessed in 2014)
Kuncheva, L.I., Whitaker, C.J., Duin, R.P.W.: Limits on the majority vote accuracy in classifier fusion. Pattern Analysis and Applications 6, 22–31 (2003)
Wessels, D., et al.: Squid proxy, http://www.squid-cache.org (accessed in 2014)
Dembour, O., Collignon, N.: Dns2tcp tool, www.hsc.fr/ressources/outils/dns2tcp/index.html.en (accessed in 2014)
Kryo: Iodine tool, http://ip-dns.info (accessed in 2014)
Born, K., Gustafson, D.: Detecting dns tunnels using character frequency analysis. arXiv preprint arXiv:1004.4358 (2010)
Burghouwt, P., Spruit, M., Sips, H.: Detection of botnet collusion by degree distribution of domains. In: ICITST 2010. IEEE Press (November 2010)
Karasaridis, A., Meier-Hellstern, K.S., Hoeflin, D.A.: Detection of dns anomalies using flow data analysis. In: GLOBECOM. IEEE (2006)
Alshammari, R., Zincir-Heywood, A.N.: Can encrypted traffic be identified without port numbers, ip addresses and payload inspection? Computer Networks 55(6), 1326–1350 (2011)
Hind, J.: Catching dns tunnels with a.i. In: Proceedings of DefCon, vol. 17 (August 2009)
Oberheide, J., Karir, M., Mao, Z.M.: Characterizing dark DNS behavior. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 140–156. Springer, Heidelberg (2007)
Klotz, J., et al.: Statistical inference in bernoulli trials with dependence. The Annals of Statistics 1(2), 373–379 (1973)
Herrero, A., Zurutuza, U., Corchado, E.: A neural-visualization ids for honeynet data. International Journal of Neural Systems 22(2) (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Aiello, M., Mongelli, M., Papaleo, G. (2014). Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection. In: de la Puerta, J., et al. International Joint Conference SOCO’14-CISIS’14-ICEUTE’14. Advances in Intelligent Systems and Computing, vol 299. Springer, Cham. https://doi.org/10.1007/978-3-319-07995-0_46
Download citation
DOI: https://doi.org/10.1007/978-3-319-07995-0_46
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07994-3
Online ISBN: 978-3-319-07995-0
eBook Packages: EngineeringEngineering (R0)