183 Hits in 2.7 sec

Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol [article]

Asaf Nadler, Avi Aminov, Asaf Shabtai
2018 arXiv   pre-print
The goal of this study is to propose a method for detecting both tunneling and low-throughput data exfiltration over the DNS.  ...  While the importance of tunneling detection is not undermined, an entire class of low throughput DNS exfiltration malware remained overlooked.  ...  EVALUATION The evaluation focuses on two primary goals: the detection of low throughput malware exfiltration, and the detection of high throughput DNS tunneling.  ... 
arXiv:1709.08395v2 fatcat:vtcpoebvjvhwxlnno5hlg2upxy

DNSxD: Detecting Data Exfiltration Over DNS

Jacob Steadman, Sandra Scott-Hayward
2018 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)  
Popular DNS data exfiltration attacks and current exfiltration detection mechanisms are analysed to generate a feature-set for DNS data exfiltration detection.  ...  This paper addresses the issue of DNS-based data exfiltration proposing a detection and mitigation method leveraging the Software-Defined Network (SDN) architecture.  ...  Current Detection Methods As described in Section II, several solutions have previously been proposed to tackle the threat of data exfiltration over DNS.  ... 
doi:10.1109/nfv-sdn.2018.8725640 dblp:conf/nfvsdn/SteadmanS18 fatcat:3jt6vnshqbfhhebz5mi6csr3am

DNS Tunneling Detection Using Feedforward Neural Network

Yakov Bubnov
2018 European Journal of Engineering Research and Science  
This paper addresses a problem of detecting Domain Name System (DNS) tunneling in a computer network.  ...  Given the DNS queries from both legitimate and adversary clients this paper proposes a machine-learning method of distinguishing tunneling strategies.  ...  detect the fact of DNS tunneling.  ... 
doi:10.24018/ejers.2018.3.11.963 fatcat:bo4gdwaka5hzjkvhogftlwfwey

Exploitation of DNS Tunneling for Optimization of Data Exfiltration in Malware-free APT Intrusions

Aaron Zimba, Mumbi Chishimba
2017 Zambia ICT Journal  
Our attack structure exploits the use of system services and resources not limited to RDP, PowerShell, Windows accessibility backdoor and DNS tunneling.  ...  Results show that it's possible to exfiltrate data from vulnerable hosts using malwarefree intrusion as an infection vector and DNS tunneling as a data exfiltration technique.  ...  Leveraging DNS tunneling for data exfiltration is especially attractive since DNS permitted by default in most IDSs and firewalls which in itself presents a low detection rate.  ... 
doi:10.33260/zictjournal.v1i1.26 fatcat:zdooxsvjvncjvfbigvoepxdjg4

Browser-Based Covert Data Exfiltration [article]

Kenton Born
2010 arXiv   pre-print
This paper explores novel methods of using a browser's JavaScript engine to exfiltrate documents over the Domain Name System (DNS) protocol without sending less covert Hypertext Transfer Protocol (HTTP  ...  This effectively mitigates many insider threats regarding the collection and exfiltration of data.  ...  Lack of monitoring has lead to DNS tunnels such as Iodine, Dns2tcp, and TCP-over-DNS growing in popularity (TCP-Over-DNS 2008; Dembour 2008; Iodine 2009) .  ... 
arXiv:1004.4357v1 fatcat:woczn22f7vcadnksaeirk33eye

Flow-Based Detection of DNS Tunnels [chapter]

Wendy Ellens, Piotr Żuraniewski, Anna Sperotto, Harm Schotanus, Michel Mandjes, Erik Meeuwissen
2013 Lecture Notes in Computer Science  
DNS tunnels allow circumventing access and security policies in firewalled networks.  ...  Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful  ...  The CAD project was partially funded by the Dutch Ministry of Economic Affairs, Agriculture and Innovation as part of the Maatschappelijke Innovatie Agenda Veiligheid (IMV1100032).  ... 
doi:10.1007/978-3-642-38998-6_16 fatcat:nuhuqsik2redtneotjjmlubp2y

DNS Covert Channel Detection via Behavioral Analysis: a Machine Learning Approach [article]

Salvatore Saeli, Federica Bisio, Pierangelo Lombardo, Danilo Massa
2020 arXiv   pre-print
The proposed solution has been evaluated over a 15-day-long experimental session with the injection of traffic that covers the most relevant exfiltration and tunneling attacks: all the malicious variants  ...  Therefore, we propose an effective covert channel detection method, based on the analysis of DNS network data passively extracted from a network monitoring system.  ...  The proposed solution has been evaluated over a test network, with the injection of 8 pcaps associated with 7 different APTs and 1 PoS malware campaign and the network traffic of 5 DNS-tunneling tools  ... 
arXiv:2010.01582v1 fatcat:7rzbcle7cbcfdlwfnwys7cccwe

DNS Tunneling: A Deep Learning based Lexicographical Detection Approach [article]

Franco Palau, Carlos Catania, Jorge Guerra, Sebastian Garcia, Maria Rigaki
2020 arXiv   pre-print
Due to the lack of quality datasets for evaluating DNS Tunneling connections, we also present a detailed construction and description of a novel dataset that contains DNS Tunneling domains generated with  ...  This characteristic is attractive to hackers who exploit DNS Tunneling method to establish bidirectional communication with machines infected with malware with the objective of exfiltrating data or sending  ...  In addition, we want to gratefully acknowledge the support of NVIDIA Corporation with the donation of the Titan V GPU used for this research.  ... 
arXiv:2006.06122v2 fatcat:gty66u7ajvc73ixzb77jxzlzou

DNS Tunneling Detection by Cache-Property-Aware Features

Naotake Ishikura, Daishi Kondo, Vassilis Vassiliades, Iordan Iordanov, Hideki Tode
2021 IEEE Transactions on Network and Service Management  
In the context of data exfiltration by DNS tunneling, the malware connects directly to the DNS cache server and the generated DNS tunneling queries produce cache misses with absolute certainty.  ...  The rule-based filter achieves a higher rate of DNS tunneling attack detection than the LSTM one, which instead detects the attack more quickly, while both maintain a low misdetection rate.  ...  Therefore, one possible future research direction is to investigate the effectiveness of multi-scale ensemble LSTM models for detecting DNS tunneling attacks over large periods of time.  ... 
doi:10.1109/tnsm.2021.3078428 fatcat:f4wa5uro5vbdnkqv6yn2mc5fqy

Detecting DNS Tunnels Using Character Frequency Analysis [article]

Kenton Born, David Gustafson
2010 arXiv   pre-print
This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses.  ...  Domain Name System (DNS) tunnels provide a means to covertly infiltrate and exfiltrate large amounts of information passed network boundaries.  ...  Ozyman, TCP-over-DNS, Iodine, Dns2tcp, DNScat, and DeNiSe are a few of the many DNS tunneling applications available on the internet.  ... 
arXiv:1004.4358v1 fatcat:4pszl6ymvzehxbabcr334zsvia

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign [chapter]

Viivi Nuojua, Gil David, Timo Hämäläinen
2017 Lecture Notes in Computer Science  
A DNS tunnel can be used for three purposes: as a command and control channel, for data exfiltration or even for tunneling another protocol through it.  ...  In this paper, we surveyed different techniques for DNS tunneling detection. We classified those first based on the type of data and then within the categories based on the type of analysis.  ...  We surveyed several different DNS tunneling detection techniques and classified those, first, based on the type of data.  ... 
doi:10.1007/978-3-319-67380-6_26 fatcat:l6cfglfzvbehvmv4enavgttnqy

An FPGA System for Detecting Malicious DNS Network Traffic [chapter]

Brennon Thomas, Barry Mullins, Gilbert Peterson, Robert Mills
2011 IFIP Advances in Information and Communication Technology  
An example is traffic that abuses the Domain Name System (DNS) protocol to exfiltrate sensitive data, establish backdoor tunnels or control botnets.  ...  This paper describes the TRAPP-2 system, an extended version of the Tracking and Analysis for Peer-to-Peer (TRAPP) system, which detects BitTorrent and Voice over Internet Protocol (VoIP) traffic.  ...  Also, future research will investigate how DNS security extensions (DNSSEC) and DNSCurve would affect the detection of DNS tunneling. Figure 1 . 1 Establishing a DNS tunnel.  ... 
doi:10.1007/978-3-642-24212-0_15 fatcat:ldvpxc6alfhwzooqlt5chmizv4

DoH Tunneling Detection System For Enterprise Network Using Deep Learning Technique

Tuan Anh Nguyen, Minho Park
2022 Applied Sciences  
Recently, to resolve this problem, an encrypted DNS, called DNS-over-HTTPS (DoH), has been developed, and is becoming more widespread.  ...  Therefore, we propose a detection system for DoH tunneling attacks based on Transformer to detect a malicious DoH tunneling and build a fully functional DoH detection system that can be integrated with  ...  This attack is a much stronger version of DNS tunneling, called DoH tunneling. DNS tunneling can be easily detected by capturing and analyzing the DNS traffic content.  ... 
doi:10.3390/app12052416 fatcat:zfeyk2umqbggbgb43iy5jnkcx4

Machine Learning for Detecting Data Exfiltration: A Review [article]

Bushra Sabir, Faheem Ullah, M. Ali Babar, Raj Gaire
2021 arXiv   pre-print
poisoning attacks; and (v) the use of automated feature engineering should be encouraged for efficiently detecting data exfiltration attacks.  ...  Context: Research at the intersection of cybersecurity, Machine Learning (ML), and Software Engineering (SE) has recently taken significant steps in proposing countermeasures for detecting sophisticated  ...  This representation captured the full structural and sequential information of the DNS packets to detect DNS tunnels.  ... 
arXiv:2012.09344v2 fatcat:zpsptvpqaba5zhtzqxtv5tdqra

Automated feature engineering for HTTP tunnel detection

Jonathan J. Davis, Ernest Foo
2016 Computers & security  
The classifier addresses a problem in computer network security, namely the detection of HTTP tunnels.  ...  The derived features are calculated without favour to any base feature and include entropy, length and Ngrams for all string features, and counts and averages over time for all numeric features.  ...  The chosen problem is DNS tunnel detection, particularly those used for data exfiltration. Detection requires analysis of DNS network data.  ... 
doi:10.1016/j.cose.2016.01.006 fatcat:psdgq4nxu5hojmr57ikax46aj4
« Previous Showing results 1 — 15 out of 183 results