research-article

Network Flow Entropy for Identifying Malicious Behaviours in DNS Tunnels

Authors:

Yulduz Khodjaeva,

Nur Zincir-HeywoodAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 72, Pages 1 - 7

https://doi.org/10.1145/3465481.3470089

Published: 17 August 2021 Publication History

Abstract

In this paper, we propose the concept of ”entropy of a flow” to augment flow statistical features for identifying malicious behaviours in DNS tunnels, specifically DNS over HTTPS traffic. In order to achieve this, we explore the use of three flow exporters, namely Argus, DoHlyzer and Tranalyzer2 to extract flow statistical features. We then augment these features using different ways of calculating the entropy of a flow. To this end, we investigate three entropy calculation approaches: Entropy over all packets of a flow, Entropy over the first 96 bytes of a flow, and Entropy over the first n-packets of a flow. We evaluate five machine learning classifiers, namely Decision Tree, Random Forest, Logistic Regression, Support Vector Machine and Naive Bayes using these features in order to identify malicious behaviours in different publicly available datasets. The evaluations show that the Decision Tree classifier achieves an F-measure of 99.7% when flow statistical features are augmented with entropy of a flow calculated over the first 4 packets.

References

[1]

2000-2011. Argus. Retrieved September, 2020 from https://openargus.org/using-argus

[2]

2019. DoHlyzer. Retrieved October, 2020 from https://github.com/ahlashkari/DoHlyzer

[3]

2019. DoHMeter. Retrieved October, 2020 from https://github.com/ahlashkari/DOHlyzer/tree/master/DoHMeter

[4]

2019. IMPACT. Retrieved March 6, 2021 from https://www.impactcybertrust.org

[5]

2019. Tranalyzer. Retrieved September, 2020 from https://tranalyzer.com

[6]

Jawad Ahmed, Hassan Habibi Gharakheili, Qasim Raza, Craig Russell, and Vijay Sivaraman. 2019. Real-Time Detection of DNS Exfiltration and Tunneling from Enterprise Networks. In IFIP/IEEE International Symposium on Integrated Network Management, IM 2019, Washington, DC, USA, April 09-11, 2019, Joe Betser, Carol J. Fung, Alex Clemm, Jérôme François, and Shingo Ata (Eds.). IFIP, 649–653. http://ieeexplore.ieee.org/document/8717806

[7]

Przemyslaw Berezinski, Józef Pawelec, Marek Malowidzki, and Rafal Piotrowski. 2014. Entropy-Based Internet Traffic Anomaly Detection: A Case Study. In Proceedings of the Ninth International Conference on Dependability and Complex Systems DepCoS-RELCOMEX. June 30 - July 4, 2014, Brunów, Poland(Advances in Intelligent Systems and Computing, Vol. 286), Wojciech Zamojski, Jacek Mazurkiewicz, Jaroslaw Sugier, Tomasz Walkowiak, and Janusz Kacprzyk (Eds.). Springer, 47–58. https://doi.org/10.1007/978-3-319-07013-1_5

[8]

Laurent Bernaille and Renata Teixeira. 2007. Early Recognition of Encrypted Applications. In Passive and Active Network Measurement, 8th Internatinoal Conference, PAM 2007, Louvain-la-neuve, Belgium, April 5-6, 2007, Proceedings(Lecture Notes in Computer Science, Vol. 4427), Steve Uhlig, Konstantina Papagiannaki, and Olivier Bonaventure (Eds.). Springer, 165–175. https://doi.org/10.1007/978-3-540-71617-4_17

[9]

Timm Böttger, Félix Cuadrado, Gianni Antichi, Eder Leão Fernandes, Gareth Tyson, Ignacio Castro, and Steve Uhlig. 2019. An Empirical Study of the Cost of DNS-over-HTTPS. In Proceedings of the Internet Measurement Conference, IMC 2019, Amsterdam, The Netherlands, October 21-23, 2019. ACM, 15–21. https://doi.org/10.1145/3355369.3355575

Digital Library

[10]

Stefan Burschka and Benoît Dupasquier. 2016. Tranalyzer: Versatile high performance network traffic analyser. In 2016 IEEE Symposium Series on Computational Intelligence, SSCI 2016, Athens, Greece, December 6-9, 2016. IEEE, 1–8. https://doi.org/10.1109/SSCI.2016.7849909

[11]

Adam J. Campbell and Nur Zincir-Heywood. 2020. Exploring Tunneling Behaviours in Malicious Domains With Self-Organizing Maps. In 2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020, Canberra, Australia, December 1-4, 2020. IEEE, 1419–1426. https://doi.org/10.1109/SSCI47803.2020.9308499

[12]

Anirban Das, Min-Yi Shen, Madhu Shashanka, and Jisheng Wang. 2017. Detection of Exfiltration and Tunneling over DNS. In 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017, Cancun, Mexico, December 18-21, 2017, Xuewen Chen, Bo Luo, Feng Luo, Vasile Palade, and M. Arif Wani (Eds.). IEEE, 737–742. https://doi.org/10.1109/ICMLA.2017.00-71

[13]

Peter Dorfinger. 2010. Real-Time Detection of Encrypted Traffic based on Entropy Estimation. Master’s thesis. Salzburg University of Applied Sciences.

[14]

Claude E.Shannon. 1951. Prediction and entropy of printed English. Bell system technical journal 30 (Jan. 1951), 50–64. Issue 1.

[15]

Tyrell Fawcett. 2010. ExFILD: a tool for the detection of data exfiltration using entropy and encryption characteristics of network traffic. Master’s thesis. University of Delaware.

[16]

Fariba Haddadi and A. Nur Zincir-Heywood. 2016. Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification. IEEE Syst. J. 10, 4 (2016), 1390–1401. https://doi.org/10.1109/JSYST.2014.2364743

[17]

Drew Hjelm. 2019. A New Needle and Haystack: Detecting DNS over HTTPS Usage. Retrieved May 10, 2021 from https://www.sans.org/reading-room/whitepapers/dns/needle-haystack-detecting-dns-https-usage-39160

[18]

Arash Habibi Lashkari Iman Sharafaldinand Ali A. Ghorbani. 2017. CIC-IDS 2017. Retrieved March 5, 2021 from https://www.unb.ca/cic/datasets/ids-2017.html

[19]

Sara Khanchi, Ali Vahdat, Malcolm I. Heywood, and A. Nur Zincir-Heywood. 2018. On botnet detection with genetic programming under streaming data label budgets and class imbalance. Swarm Evol. Comput. 39(2018), 123–140. https://doi.org/10.1016/j.swevo.2017.09.008

[20]

Anukool Lakhina, Mark Crovella, and Christophe Diot. 2005. Mining anomalies using traffic feature distributions. In Proceedings of the ACM SIGCOMM 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Philadelphia, Pennsylvania, USA, August 22-26, 2005, Roch Guérin, Ramesh Govindan, and Greg Minshall(Eds.). ACM, 217–228. https://doi.org/10.1145/1080091.1080118

Digital Library

[21]

Duc C. Le and A. Nur Zincir-Heywood. 2020. A Frontier: Dependable, Reliable and Secure Machine Learning for Network/System Management. J. Netw. Syst. Manag. 28, 4 (2020), 827–849. https://doi.org/10.1007/s10922-020-09512-5

Digital Library

[22]

Duc C. Le, A. Nur Zincir-Heywood, and Malcolm I. Heywood. 2016. Data analytics on network traffic flows for botnet behaviour detection. In 2016 IEEE Symposium Series on Computational Intelligence, SSCI 2016, Athens, Greece, December 6-9, 2016. IEEE, 1–7. https://doi.org/10.1109/SSCI.2016.7850078

[23]

Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Hai-Xin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, and Jianping Wu. 2019. An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?. In Proceedings of the Internet Measurement Conference, IMC 2019, Amsterdam, The Netherlands, October 21-23, 2019. ACM, 22–35. https://doi.org/10.1145/3355369.3355580

Digital Library

[24]

Mohammadreza MontazeriShatoori, Logan Davidson, Gurdip Kaur, and Arash Habibi Lashkari. 2020. Detection of DoH Tunnels using Time-series Classification of Encrypted Traffic. In IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress, DASC/PiCom/CBDCom/CyberSciTech 2020, Calgary, AB, Canada, August 17-22, 2020. IEEE, 63–70. https://doi.org/10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00026

[25]

[Online]. 2020. CIRA-CIC-DoHBrw-2020. Retrieved October 10, 2020 from https://www.unb.ca/cic/datasets/dohbrw-2020.html

[26]

Fannia Pacheco, Ernesto Exposito, Mathieu Gineste, Cédric Baudoin, and José Aguilar. 2019. Towards the Deployment of Machine Learning Solutions in Network Traffic Classification: A Systematic Survey. IEEE Commun. Surv. Tutorials 21, 2 (2019), 1988–2014. https://doi.org/10.1109/COMST.2018.2883147

[27]

Michael Seufert, Raimund Schatz, Nikolas Wehner, Bruno Gardlo, and Pedro Casas. 2019. Is QUIC becoming the New TCP? On the Potential Impact of a New Protocol on Networked Multimedia QoE. In 11th International Conference on Quality of Multimedia Experience QoMEX 2019, Berlin, Germany, June 5-7, 2019. IEEE, 1–6. https://doi.org/10.1109/QoMEX.2019.8743223

[28]

Khalid Shahbar and A. Nur Zincir-Heywood. 2018. How far can we push flow analysis to identify encrypted anonymity network traffic?. In 2018 IEEE/IFIP Network Operations and Management Symposium, NOMS 2018, Taipei, Taiwan, April 23-27, 2018. IEEE, 1–6. https://doi.org/10.1109/NOMS.2018.8406156

Digital Library

[29]

Iman Sharafaldin, Arash Habibi Lashkari, and Ali A. Ghorbani. 2018. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, Funchal, Madeira - Portugal, January 22-24, 2018, Paolo Mori, Steven Furnell, and Olivier Camp (Eds.). SciTePress, 108–116. https://doi.org/10.5220/0006639801080116

[30]

Sunil Kumar Singh and Pradeep Kumar Roy. 2020. Detecting Malicious DNS over HTTPS Traffic Using Machine Learning. (2020). https://doi.org/10.1109/3ICT51146.2020.9312004

[31]

Georgia Tech. 2020. GT Malware Passive DNS Data Daily Feed. Retrieved March 6, 2021 from http://dx.doi.org/10.23721/102/1354027

Cited By

Liu XZhang YYang XGai WSun B(2024)MFC-DoH: DoH Tunnel Detection Based on the Fusion of MAML and F-CNNProceedings of the 21st ACM International Conference on Computing Frontiers10.1145/3649153.3649207(267-275)Online publication date: 7-May-2024
https://dl.acm.org/doi/10.1145/3649153.3649207
Pich RSreng SColin J(2023)DoH Tunneling Traffic Detection Based on Single Packet Features AnalysisProceedings of the 2023 12th International Conference on Networks, Communication and Computing10.1145/3638837.3638861(57-63)Online publication date: 15-Dec-2023
https://dl.acm.org/doi/10.1145/3638837.3638861
Hublikar SShet N(2023)Malicious encrypted network traffic flow detection using enhanced optimal deep feature selection with DLSTMInternational Journal of Modeling, Simulation, and Scientific Computing10.1142/S179396232450011915:01Online publication date: 19-Jul-2023
https://doi.org/10.1142/S1793962324500119
Show More Cited By

Index Terms

Network Flow Entropy for Identifying Malicious Behaviours in DNS Tunnels
1. Social and professional topics
  1. Computing / technology policy

Index terms have been assigned to the content through auto-classification.

Recommendations

Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis
PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks

DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At ...
Some properties of Rényi entropy and Rényi entropy rate

In this paper, we define the conditional Renyi entropy and show that the so-called chain rule holds for the Renyi entropy. Then, we introduce a relation for the rate of Renyi entropy and use it to derive the rate of the Renyi entropy for an irreducible-...
Efficient Malicious Packet Capture Through Advanced DNS Sinkhole

Among the current botnet countermeasures, DNS sinkhole is known as the best practice in the world. This technique prevents a cyberattack by cutting off the communication between a command and control (C&C) server and zombie PCs (malicious bots). In ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
287
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)6

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu XZhang YYang XGai WSun B(2024)MFC-DoH: DoH Tunnel Detection Based on the Fusion of MAML and F-CNNProceedings of the 21st ACM International Conference on Computing Frontiers10.1145/3649153.3649207(267-275)Online publication date: 7-May-2024
https://dl.acm.org/doi/10.1145/3649153.3649207
Pich RSreng SColin J(2023)DoH Tunneling Traffic Detection Based on Single Packet Features AnalysisProceedings of the 2023 12th International Conference on Networks, Communication and Computing10.1145/3638837.3638861(57-63)Online publication date: 15-Dec-2023
https://dl.acm.org/doi/10.1145/3638837.3638861
Hublikar SShet N(2023)Malicious encrypted network traffic flow detection using enhanced optimal deep feature selection with DLSTMInternational Journal of Modeling, Simulation, and Scientific Computing10.1142/S179396232450011915:01Online publication date: 19-Jul-2023
https://doi.org/10.1142/S1793962324500119
Mitsuhashi RJin YIida KShinagawa TTakai Y(2023)Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic AnalysisIEEE Transactions on Network and Service Management10.1109/TNSM.2022.321568120:2(2086-2095)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1109/TNSM.2022.3215681
Pan QYan HQin ZQi B(2023)PACLASS: A Lightweight Classification Framework on DNS-Over-HTTPSICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10279398(3805-3810)Online publication date: 28-May-2023
https://doi.org/10.1109/ICC45041.2023.10279398
Mitsuhashi RJin YIida KShinagawa TTakai Y(2023)Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis2023 IEEE 20th Consumer Communications & Networking Conference (CCNC)10.1109/CCNC51644.2023.10059835(224-229)Online publication date: 8-Jan-2023
https://doi.org/10.1109/CCNC51644.2023.10059835
Pashamokhtari ASivanathan AHamza AGharakheili H(2022)PicP-MUD: Profiling Information Content of Payloads in MUD Flows for IoT Devices2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM)10.1109/WoWMoM54355.2022.00081(521-526)Online publication date: Jun-2022
https://doi.org/10.1109/WoWMoM54355.2022.00081
de Souza Bezerra Borges Lde Oliveira Albuquerque Rde Sousa Junior R(2022)A security model for DNS tunnel detection on cloud platform2022 Workshop on Communication Networks and Power Systems (WCNPS)10.1109/WCNPS56355.2022.9969715(1-6)Online publication date: 17-Nov-2022
https://doi.org/10.1109/WCNPS56355.2022.9969715
D’Angelo GCastiglione APalmieri F(2022)DNS tunnels detection via DNS-imagesInformation Processing and Management: an International Journal10.1016/j.ipm.2022.10293059:3Online publication date: 1-May-2022
https://dl.acm.org/doi/10.1016/j.ipm.2022.102930

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents