Abstract
DNS tunneling techniques are often used for malicious purposes. Network security mechanisms have struggled to detect DNS tunneling. Network forensic analysis has been proposed as a solution, but it is slow, invasive and tedious as network forensic analysis tools struggle to deal with undocumented and new network tunneling techniques.
This chapter presents a method for supporting forensic analysis by automating the inference of tunneled protocols. The internal packet structure of DNS tunneling techniques is analyzed and the information entropy of various network protocols and their DNS tunneled equivalents are characterized. This provides the basis for a protocol prediction method that uses entropy distribution averaging. Experiments demonstrate that the method has a prediction accuracy of 75%. The method also preserves privacy because it only computes the information entropy and does not parse the actual tunneled content.
Chapter PDF
Similar content being viewed by others
References
R. Alshammari and A. Zincir-Heywood, Machine learning based encrypted traffic classification: Identifying SSH and Skype, Proceedings of the IEEE Symposium on Computational Intelligence in Security and Defense Applications, 2009.
R. Alshammari and A. Zincir-Heywood, Can encrypted traffic be identified without port numbers, IP addresses and payload inspection? Computer Networks, vol. 55(6), pp. 1326–1350, 2011.
L. Bernaille and R. Teixeira, Early recognition of encrypted applications, Proceedings of the Eighth International Conference on Passive and Active Network Measurement, pp. 165–175, 2007.
D. Bonfiglio, M. Mellia, M. Meo, D. Rossi and P. Tofanelli, Revealing Skype traffic: When randomness plays with you, ACM SIGCOMM Computer Communication Review, vol. 37(4), pp. 37–48, 2007.
K. Born, PSUDP: A passive approach to network-wide covert communications, presented at Black Hat USA, 2010.
K. Born and D. Gustafson, Detecting DNS tunnels using character frequency analysis, Proceedings of the Ninth Annual Security Conference, 2010.
M. Crotti, M. Dusi, F. Gringoli and L. Salgarelli, Detecting HTTP tunnels with statistical mechanisms, Proceedings of the IEEE International Conference on Communications, pp. 6162–6168, 2007.
S. Davidoff and J. Ham, Network Forensics: Tracking Hackers through Cyberspace, Pearson Education, Upper Saddle River, New Jersey, 2012.
C. Dietrich, C. Rossow, F. Freiling, H. Bos, M. van Steen and N. Pohlmann, On botnets that use DNS for command and control, Proceedings of the Seventh European Conference on Computer Network Defense, pp. 9–16, 2011.
M. Dusi, M. Crotti, F. Gringoli and L. Salgarelli, Detection of encrypted tunnels across network boundaries, Proceedings of the IEEE International Conference on Communications, pp. 1738–1744, 2008.
M. Dusi, M. Crotti, F. Gringoli and L. Salgarelli, Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting, Computer Networks, vol. 53(1), pp. 81–97, 2009.
E. Ekman and B. Andersson, Iodine Tunneling Protocol Documentation v502 (github.com/yarrick/iodine), 2014.
G. Farnham, Detecting DNS Tunneling, InfoSec Reading Room, SANS Institute, Bethesda, Maryland, 2013.
N. Hands, B. Yang and R. Hansen, A study on botnets utilizing DNS, Proceedings of the Fourth Annual ACM Conference on Research in Information Technology, pp. 23–28, 2015.
E. Hjelmvik and W. John, Breaking and Improving Protocol Obfuscation, Technical Report No. 2010-05, Department of Computer Science and Engineering, Chalmers University of Technology, Goteborg, Sweden, 2010.
I. Homem, TunnelStatsTests (github.com/irvinhomem/TunnelStatsTests), 2016.
Mandiant, M-Trends 2014 Annual Threat Report: Beyond the Breach, Alexandria, Virginia, 2014.
OpenDNS, OpenDNS Security Talk: The Role of DNS in Botnet Command and Control, San Francisco, California, 2011.
O. Santos, Network Security with NetFlow and IPFIX: Big Data Analytics for Information Security, Cisco Press, Indianapolis, Indiana, 2016.
D. Song, D. Wagner and X. Tian, Timing analysis of keystrokes and timing attacks on SSH, Proceedings of the Tenth USENIX Security Symposium, article no. 25, 2001.
M. Stevanovic, J. Pedersen, A. D’Alconzo, S. Ruehrup and A. Berger, On the ground truth problem of malicious DNS traffic analysis, Computers and Security, vol. 55, pp. 142–158, 2015.
I. Valenzuela, Game Changer: Identifying and defending against data exfiltration attempts, presented at the SANS Cyber Defense Summit, 2015.
K. Xu, P. Butler, S. Saha and D. Yao, DNS for massive-scale command and control, IEEE Transactions on Dependable and Secure Computing, vol. 10(3), pp. 143–153, 2013.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 IFIP International Federation for Information Processing
About this paper
Cite this paper
Homem, I., Papapetrou, P., Dosis, S. (2018). Information-Entropy-Based DNS Tunnel Prediction. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIV. DigitalForensics 2018. IFIP Advances in Information and Communication Technology, vol 532. Springer, Cham. https://doi.org/10.1007/978-3-319-99277-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-99277-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99276-1
Online ISBN: 978-3-319-99277-8
eBook Packages: Computer ScienceComputer Science (R0)