research-article

Naruto: DNS Covert Channels Detection Based on Stacking Model

Authors:

Peng Yang,

Xinxin Wan,

Guang Shi,

Hao Qu,

Juan Li,

Lixin YangAuthors Info & Claims

WSSE '20: Proceedings of the 2nd World Symposium on Software Engineering

Pages 109 - 115

https://doi.org/10.1145/3425329.3425336

Published: 11 November 2020 Publication History

Get Access

Abstract

A covert channel is an information channel which is used by computer process to exfiltrate data through bypassing security policies. The DNS protocol is one of the important ways to implement a covert channel. DNS covert channels are easily used by attackers for malicious purposes. Therefore, an effective detection of the DNS covert channels is significant for computer system and network security. Aiming at the difficulty of the DNS covert channel identification, we propose a DNS covert channel detection method based on stacking model. The stacking model is evaluated in a campus network and the experimental results show that the detection based on the stacking model can detect the DNS covert channels effectively. Besides, it can also identify unknown covert channel traffic. The area under the curve (AUC) of the proposed method, reaching 0.9901, outperforms the existed methods.

References

[1]

CROTTI M, DUSI M, GRINGOLI F, et al. Detecting HTTP Tunnels with Statistical Mechanisms[C]. IEEE International Conference on Communications. IEEE, 2007: 6162--6168.

Google Scholar

[2]

DUSI M, CROTTI M, GRINGOLI F, et al. Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting[J]. Computer Networks, 2009, 53(1): 81--97.

Digital Library

Google Scholar

[3]

CASAS P, MAZEL J, OWEZARSKI P. MINETRAC: Mining flows for unsupervised analysis & semi-supervised classification[C]. Proceedings of the 23rd International Teletraffic Congress. International Teletraffic Congress, 2011: 87--94.

Google Scholar

[4]

MARCHAL S, FRANCIS J, WAGNER C, et al. DNSSM: A Large Scale Passive DNS Security Monitering Framework[J]. Network Operations & Management Symposium IEEE, 2012, 131(5): 988--993.

Google Scholar

[5]

KARASARIDIS A, MEIER-HELLSTEM K, HOEFLIN D. NIS04-2: Detection of DNS Anomalies Using Flow Data Analysis[C]. Global Telecommunications Conference, 2006. GLOBECOM 06. IEEE. IEEE, 2006: 1--6.

Google Scholar

[6]

SHERIDAN S and KEANE A. Detection of DNS Based Covert Channels [C]. In Proceedings of the 14th European Conference on Cyber Warfare and Security (ECCWS), University of Hertfordshire, Hatfield, UK, 2015.

Google Scholar

[7]

SHAFIEIAN S, SMITH D, and ZULKERNINE M. Detecting DNS Tunneling Using Ensemble Learning[C]. International Conference on Network and System Security, 2017. Springer. Lecture Notes in Computer Science, 2017(10394): 112--127.

Crossref

Google Scholar

[8]

NUSSBAUM L, NEYRON P, RICHARD O. On Robust Covert Channels Inside DNS[J]. IFIP Advances in Information & Communication Technology, 2009, 297: 51--62.

Crossref

Google Scholar

[9]

AIELLO M, MERLO A, PAPALEO G. Performance assessment and analysis of DNS tunneling tools[J]. Logic Journal of Igpl, 2013, 21(4): 592--602.

Crossref

Google Scholar

[10]

NADLER A, AMINOV A, and SHABTAI A. Detection of malicious and low throughput data exfiltration over the DNS protocol[J]. Computer & Security, 2019, 80: 36--53.

Crossref

Google Scholar

[11]

FARNHAM G and ATLASIS A. Detecting DNS Tunneling[C]. SANS Institute InfoSec Reading Room, 2013:1--32.

Google Scholar

[12]

BILGE L, KIRDA E, KRUEGEL C, et al. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis[C]. Proceedings of the Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, USA, 6th-9th February 2011.

Google Scholar

[13]

LENCUN Y, BOTTOU L, BENGIO Y. Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998, 862: 2278--2324.

Crossref

Google Scholar

Cited By

View all

Khadse MDakhane D(2024)A Review on Network Covert Channel Construction and Attack DetectionConcurrency and Computation: Practice and Experience10.1002/cpe.8316Online publication date: 26-Oct-2024
https://doi.org/10.1002/cpe.8316
Mitsuhashi RJin YIida KShinagawa TTakai Y(2023)Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic AnalysisIEEE Transactions on Network and Service Management10.1109/TNSM.2022.321568120:2(2086-2095)Online publication date: Jun-2023
https://doi.org/10.1109/TNSM.2022.3215681
Aggarwal AKumar M(2023)An ensemble framework for detection of DNS-Over-HTTPS (DOH) trafficMultimedia Tools and Applications10.1007/s11042-023-16956-983:11(32945-32972)Online publication date: 25-Sep-2023
https://doi.org/10.1007/s11042-023-16956-9
Show More Cited By

Index Terms

Naruto: DNS Covert Channels Detection Based on Stacking Model
1. Security and privacy
  1. Network security

Recommendations

Covert channels in ad-hoc wireless networks

A covert channel is a concealed communication path embedded in an overt one. Existence of covert channels violates both secrecy and integrity properties of trusted systems. While past covert analysis has been mainly focused on wired networks, the ...
A Covert Channel Using Event Channel State on Xen Hypervisor
Information and Communications Security
Abstract
Covert channel between virtual machines is one of serious threats to cloud computing, since it will break the isolation of guest OSs. Even if a lot of work has been done to resist covert channels, new covert channels still emerge in various ...
Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud

Privacy and information security in general are major concerns that impede enterprise adaptation of shared or public cloud computing. Specifically, the concern of virtual machine (VM) physical co-residency stems from the threat that hostile tenants can ...

Comments

Information & Contributors

Information

Published In

WSSE '20: Proceedings of the 2nd World Symposium on Software Engineering

September 2020

329 pages

ISBN:9781450387873

DOI:10.1145/3425329

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Wuhan Univ.: Wuhan University, China
University of Electronic Science and Technology of China: University of Electronic Science and Technology of China

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

WSSE 2020

WSSE 2020: 2020 The 2nd World Symposium on Software Engineering

September 25 - 27, 2020

Chengdu, China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
101
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)6

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Khadse MDakhane D(2024)A Review on Network Covert Channel Construction and Attack DetectionConcurrency and Computation: Practice and Experience10.1002/cpe.8316Online publication date: 26-Oct-2024
https://doi.org/10.1002/cpe.8316
Mitsuhashi RJin YIida KShinagawa TTakai Y(2023)Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic AnalysisIEEE Transactions on Network and Service Management10.1109/TNSM.2022.321568120:2(2086-2095)Online publication date: Jun-2023
https://doi.org/10.1109/TNSM.2022.3215681
Aggarwal AKumar M(2023)An ensemble framework for detection of DNS-Over-HTTPS (DOH) trafficMultimedia Tools and Applications10.1007/s11042-023-16956-983:11(32945-32972)Online publication date: 25-Sep-2023
https://doi.org/10.1007/s11042-023-16956-9
Bertoni MRosa GBrega J(2021)Optimum-path forest stacking-based ensemble for intrusion detectionEvolutionary Intelligence10.1007/s12065-021-00609-715:3(2037-2054)Online publication date: 12-May-2021
https://doi.org/10.1007/s12065-021-00609-7
Mitsuhashi RSatoh AJin YIida KShinagawa TTakai Y(2021)Identifying Malicious DNS Tunnel Tools from DoH Traffic Using Hierarchical Machine Learning ClassificationInformation Security10.1007/978-3-030-91356-4_13(238-256)Online publication date: 9-Nov-2021
https://dl.acm.org/doi/10.1007/978-3-030-91356-4_13

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Covert channels in ad-hoc wireless networks

A Covert Channel Using Event Channel State on Xen Hypervisor

Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud

Comments

Published In

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Covert channels in ad-hoc wireless networks

A Covert Channel Using Event Channel State on Xen Hypervisor

Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud

Comments

Information

Published In

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations