Detection of Tunnels in PCAP Data by Random Forests
Title | Detection of Tunnels in PCAP Data by Random Forests |
Publication Type | Conference Paper |
Year of Publication | 2016 |
Authors | Buczak, Anna L., Hanke, Paul A., Cancro, George J., Toma, Michael K., Watkins, Lanier A., Chavis, Jeffrey S. |
Conference Name | Proceedings of the 11th Annual Cyber and Information Security Research Conference |
Publisher | ACM |
Conference Location | New York, NY, USA |
ISBN Number | 978-1-4503-3752-6 |
Keywords | composability, Cyber Attacks, machine learning, privacy, pubcrawl, random forests, Resiliency, tunneling |
Abstract | This paper describes an approach for detecting the presence of domain name system (DNS) tunnels in network traffic. DNS tunneling is a common technique hackers use to establish command and control nodes and to exfiltrate data from networks. To generate the training data sufficient to build models to detect DNS tunneling activity, a penetration testing effort was employed. We extracted features from this data and trained random forest classifiers to distinguish normal DNS activity from tunneling activity. The classifiers successfully detected the presence of tunnels we trained on, and four other types of tunnels that were not a part of the training set. |
URL | http://doi.acm.org/10.1145/2897795.2897804 |
DOI | 10.1145/2897795.2897804 |
Citation Key | buczak_detection_2016 |