Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
139 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Information-Based Heavy Hitters for Real-Time DNS Data Exfiltration Detection and Prevention (2307.02614v1)

Published 5 Jul 2023 in cs.CR

Abstract: Data exfiltration over the DNS protocol and its detection have been researched extensively in recent years. Prior studies focused on offline detection methods, which although capable of detecting attacks, allow a large amount of data to be exfiltrated before the attack is detected and dealt with. In this paper, we introduce Information-based Heavy Hitters (ibHH), a real-time detection method which is based on live estimations of the amount of information transmitted to registered domains. ibHH uses constant-size memory and supports constant-time queries, which makes it suitable for deployment on recursive DNS servers to further reduce detection and response time. In our evaluation, we compared the performance of the proposed method to that of leading state-of-the-art DNS exfiltration detection methods on real-world datasets comprising over 250 billion DNS queries. The evaluation demonstrates ibHH's ability to successfully detect exfiltration rates as slow as 0.7B/s, with a false positive alert rate of less than 0.004, with significantly lower resource consumption compared to other methods.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (64)
  1. B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, “Mitre att&ck: Design and philosophy,” in Technical report.   The MITRE Corporation, 2018.
  2. P. Mockapetris, “Domain names - concepts and facilities,” RFC 1034, Nov. 1987. [Online]. Available: https://www.rfc-editor.org/info/rfc1034
  3. M. Lyu, H. H. Gharakheili, and V. Sivaraman, “A survey on dns encryption: Current development, malware misuse, and inference techniques,” ACM Computing Surveys (CSUR), 2022.
  4. S. Bromberger, “Dns as a covert channel within protected networks,” National Electronic Sector Cyber Security Organization (NESCO)(Jan., 2011), 2011.
  5. C. G. Girling, “Covert channels in lan’s,” IEEE Transactions on software engineering, vol. 13, no. 2, p. 292, 1987.
  6. A. Dahan, “Operation cobalt kitty: A large-scale apt in asia carried out by the oceanlotus group,” https://www.cybereason.com/blog/operation-cobalt-kitty-apt, 2017, [Online; accessed 17-April-2022].
  7. P. Rascagneres, “New frameworkpos variant exfiltrates data via dns requests,” https://www.gdatasoftware.com/blog/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests, 2014, [Online; accessed 17-April-2022].
  8. R. Falcone, “Dns tunneling in the wild: Overview of oilrig’s dns tunneling,” https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/, 2019, [Online; accessed 14-May-2022].
  9. F. Gutierrez, “Please confirm you received our apt,” https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt, 2022, [Online; accessed 1-September-2022].
  10. A. Turing, H. Wang, “New threat: B1txor20, a linux backdoor using dns tunnel,” https://web.archive.org/web/20220407213839/https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/, 2022, [Online; accessed 18-April-2022].
  11. D. Fisher, “Ransomware actors leaning on dns tunneling,” https://duo.com/decipher/ransomware-actors-leaning-on-dns-tunneling, 2023, [Online; accessed 22-March-2023].
  12. Y. Wang, A. Zhou, S. Liao, R. Zheng, R. Hu, and L. Zhang, “A comprehensive survey on dns tunnel detection,” Computer Networks, vol. 197, p. 108322, 2021.
  13. V. Paxson, M. Christodorescu, M. Javed, J. Rao, R. Sailer, D. L. Schales, M. Stoecklin, K. Thomas, W. Venema, and N. Weaver, “Practical comprehensive bounds on surreptitious communication over {{\{{DNS}}\}},” in 22nd USENIX Security Symposium (USENIX Security 13), 2013, pp. 17–32.
  14. N. Ishikura, D. Kondo, V. Vassiliades, I. Iordanov, and H. Tode, “Dns tunneling detection by cache-property-aware features,” IEEE Transactions on Network and Service Management, vol. 18, no. 2, pp. 1203–1217, 2021.
  15. C. Qi, X. Chen, C. Xu, J. Shi, and P. Liu, “A bigram based real time dns tunnel detection approach,” Procedia Computer Science, vol. 17, pp. 852–860, 2013.
  16. I. Homem, P. Papapetrou, and S. Dosis, “Information-entropy-based dns tunnel prediction,” in Advances in Digital Forensics XIV: 14th IFIP WG 11.9 International Conference, New Delhi, India, January 3-5, 2018, Revised Selected Papers 14.   Springer, 2018, pp. 127–140.
  17. A. Almusawi and H. Amintoosi, “Dns tunneling detection method based on multilabel support vector machine,” Security and Communication Networks, vol. 2018, 2018.
  18. A. Nadler, A. Aminov, and A. Shabtai, “Detection of malicious and low throughput data exfiltration over the dns protocol,” Computers & Security, vol. 80, pp. 36–53, 2019.
  19. J. Ahmed, H. H. Gharakheili, Q. Raza, C. Russell, and V. Sivaraman, “Monitoring enterprise dns queries for detecting data exfiltration from internal hosts,” IEEE Transactions on Network and Service Management, vol. 17, no. 1, pp. 265–279, 2019.
  20. F. Palau, C. Catania, J. Guerra, S. Garcia, and M. Rigaki, “Dns tunneling: A deep learning based lexicographical detection approach,” arXiv preprint arXiv:2006.06122, 2020.
  21. S. Chen, B. Lang, H. Liu, D. Li, and C. Gao, “Dns covert channel detection method using the lstm model,” Computers & Security, vol. 104, p. 102095, 2021.
  22. K. Wu, Y. Zhang, and T. Yin, “Tdae: Autoencoder-based automatic feature learning method for the detection of dns tunnel,” in ICC 2020-2020 IEEE International Conference on Communications (ICC).   IEEE, 2020, pp. 1–7.
  23. T. Locher, “Finding heavy distinct hitters in data streams,” in Proceedings of the twenty-third annual ACM symposium on Parallelism in algorithms and architectures, 2011, pp. 299–308.
  24. P. Flajolet, É. Fusy, O. Gandouet, and F. Meunier, “Hyperloglog: the analysis of a near-optimal cardinality estimation algorithm,” in Discrete Mathematics and Theoretical Computer Science.   Discrete Mathematics and Theoretical Computer Science, 2007, pp. 137–156.
  25. P. Indyk, “Sketching, streaming and sublinear-space algorithms,” Graduate course notes, available at, vol. 33, p. 617, 2007.
  26. B. Babcock, S. Babu, M. Datar, R. Motwani, and J. Widom, “Models and issues in data stream systems,” in Proceedings of the twenty-first ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, 2002, pp. 1–16.
  27. Internet Systems Consortium, “Resource requirements,” https://bind9.readthedocs.io/en/v9_19_4/chapter2.html, 2022, [Online; accessed 1-September-2022].
  28. CloudBlue Commerce, “Hardware requirements for bind dns servers,” https://docs.cloudblue.com/cbc/21.0/DNS-Hosting-Services/Hardware-Requirements-for-BIND-DNS-Servers.htm, 2022, [Online; accessed 1-September-2022].
  29. F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation forest,” in 2008 eighth ieee international conference on data mining.   IEEE, 2008, pp. 413–422.
  30. J. Zhang, L. Yang, S. Yu, and J. Ma, “A dns tunneling detection method based on deep learning models to prevent data exfiltration,” in International Conference on Network and System Security.   Springer, 2019, pp. 520–535.
  31. N. C. Luong, D. T. Hoang, S. Gong, D. Niyato, P. Wang, Y.-C. Liang, and D. I. Kim, “Applications of deep reinforcement learning in communications and networking: A survey,” IEEE Communications Surveys & Tutorials, vol. 21, no. 4, pp. 3133–3174, 2019.
  32. A. R. Mohammed, S. A. Mohammed, and S. Shirmohammadi, “Machine learning and deep learning based traffic classification and prediction in software defined networking,” in 2019 IEEE International Symposium on Measurements & Networking (M&N).   IEEE, 2019, pp. 1–6.
  33. A. L. Buczak, P. A. Hanke, G. J. Cancro, M. K. Toma, L. A. Watkins, and J. S. Chavis, “Detection of tunnels in pcap data by random forests,” in Proceedings of the 11th Annual Cyber and Information Security Research Conference, 2016, pp. 1–4.
  34. P. Yang, X. Wan, G. Shi, H. Qu, J. Li, and L. Yang, “Naruto: Dns covert channels detection based on stacking model,” in Proceedings of the 2nd World Symposium on Software Engineering, 2020, pp. 109–115.
  35. G. Ruiling, D. Jiawen, C. Xiang, and S. Shouyou, “A dns-based data exfiltration traffic detection method for unknown samples,” in 2022 7th IEEE International Conference on Data Science in Cyberspace (DSC).   IEEE, 2022, pp. 191–198.
  36. C. E. Shannon, “A mathematical theory of communication,” The Bell system technical journal, vol. 27, no. 3, pp. 379–423, 1948.
  37. K. Schomp, O. Bhardwaj, E. Kurdoglu, M. Muhaimen, and R. K. Sitaraman, “Akamai dns: Providing authoritative answers to the world’s queries,” in Proceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication, 2020, pp. 465–478.
  38. A. M. Kara, H. Binsalleeh, M. Mannan, A. Youssef, and M. Debbabi, “Detection of malicious payload distribution channels in dns,” in 2014 IEEE International Conference on Communications (ICC).   IEEE, 2014, pp. 853–858.
  39. Y. Afek, A. Bremler-Barr, E. Cohen, S. L. Feibish, and M. Shagam, “Efficient distinct heavy hitters for dns ddos attack detection,” arXiv preprint arXiv:1612.02636, 2016.
  40. L. Yang, B. Ng, and W. K. Seah, “Heavy hitter detection and identification in software defined networking,” in 2016 25th International Conference on Computer Communication and Networks (ICCCN).   IEEE, 2016, pp. 1–10.
  41. A. Rajaraman and J. Ullman, “Mining data streams,” in Mining of Massive Datasets, 2nd ed., Cambridge University Press, 2014, pp. 165–173.
  42. S. Heule, M. Nunkesser, and A. Hall, “Hyperloglog in practice: Algorithmic engineering of a state of the art cardinality estimation algorithm,” in Proceedings of the 16th International Conference on Extending Database Technology, 2013, pp. 683–692.
  43. P. B. Gibbons and Y. Matias, “New sampling-based summary statistics for improving approximate query answers,” in Proceedings of the 1998 ACM SIGMOD international conference on Management of data, 1998, pp. 331–342.
  44. A. Nadler, R. Bitton, O. Brodt, and A. Shabtai, “On the vulnerability of anti-malware solutions to dns attacks,” Computers & Security, vol. 116, p. 102687, 2022.
  45. Y. Chen, M. Antonakakis, R. Perdisci, Y. Nadji, D. Dagon, and W. Lee, “Dns noise: Measuring the pervasiveness of disposable domains in modern dns traffic,” in 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.   IEEE, 2014, pp. 598–609.
  46. Y. Zeng, X. Yun, X. Chen, B. Li, H. Tsang, Y. Wang, T. Zang, and Y. Zhang, “Finding disposable domain names: A linguistics-based stacking approach,” Computer Networks, vol. 184, p. 107642, 2021.
  47. X. Hu, J. Jang, M. P. Stoecklin, T. Wang, D. L. Schales, D. Kirat, and J. R. Rao, “Baywatch: robust beaconing detection to identify infected hosts in large-scale enterprise networks,” in 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).   IEEE, 2016, pp. 479–490.
  48. V. L. Pochat, T. Van Goethem, S. Tajalizadehkhoob, M. Korczyński, and W. Joosen, “Tranco: A research-oriented top sites ranking hardened against manipulation,” arXiv preprint arXiv:1806.01156, 2018.
  49. K. Ziza, P. Vuletić, and P. Tadić, “DNS Exfiltration Dataset,” 2022.
  50. E. Ekman, B. Andersson, “Iodine (ip-over-dns, ipv4 over dns tunnel),” https://code.kryo.se/iodine/, 2022, [Online; accessed 17-April-2022].
  51. Arno0x, “Iodine (ip-over-dns, ipv4 over dns tunnel),” https://github.com/Arno0x/DNSExfiltrator, 2022, [Online; accessed 27-February-2023].
  52. A. Mairh, D. Barik, K. Verma, and D. Jena, “Honeypot in network security: a survey,” in Proceedings of the 2011 international conference on communication, computing & security, 2011, pp. 600–605.
  53. L. Daigle, “WHOIS Protocol Specification,” RFC 3912, Sep. 2004. [Online]. Available: https://www.rfc-editor.org/info/rfc3912
  54. Databricks and Microsoft, “Azure databricks,” 2022, [Online; accessed 19-April-2022]. [Online]. Available: https://azure.microsoft.com/en-us/services/databricks/
  55. Microsoft, “Synapseml,” 2022, [Online; accessed 19-April-2022]. [Online]. Available: https://microsoft.github.io/SynapseML/
  56. S. Y. A. Shulmin, “Use of dns tunneling for c&c communications,” https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/, 2017, [Online; accessed 17-April-2022].
  57. “Magnetic Stripe Track Format,” 9 2015. [Online]. Available: https://orangetags.com/smart-card-reader/magnetic-stripe/magnetic-stripe-track-format/
  58. “Your Freedom - VPN, tunneling, anonymization, anti-censorship. Windows/Mac/Linux/Android.” [Online]. Available: https://www.your-freedom.net/
  59. F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay, “Scikit-learn: Machine learning in Python,” Journal of Machine Learning Research, vol. 12, pp. 2825–2830, 2011.
  60. Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, and P. E. Hoffman, “Specification for DNS over Transport Layer Security (TLS),” RFC 7858, May 2016. [Online]. Available: https://www.rfc-editor.org/info/rfc7858
  61. P. E. Hoffman and P. McManus, “DNS Queries over HTTPS (DoH),” RFC 8484, Oct. 2018. [Online]. Available: https://www.rfc-editor.org/info/rfc8484
  62. Agency, N.S., “Adopting encrypted dns in enterprise environments,” https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF, 2021, [Online; accessed 4-December-2022].
  63. Unknown, “Security benefits,” https://developers.google.com/speed/public-dns/docs/security, 2023, [Online; accessed 1-March-2023].
  64. ——, “How can i determine whether my dns queries to the amazon-provided dns server are failing due to vpc dns throttling?” https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-cause-of-failed-dns-queries/, 2023, [Online; accessed 1-March-2023].
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now