Detection of Exfiltration and Tunneling over DNS
Title | Detection of Exfiltration and Tunneling over DNS |
Publication Type | Conference Paper |
Year of Publication | 2017 |
Authors | Das, A., Shen, M. Y., Shashanka, M., Wang, J. |
Conference Name | 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA) |
Keywords | advanced persistent threat attacks, advanced persistent threats, C&c, command & control servers, command and control systems, DNS, DNS tunnel, domain name system, encoding, exfiltration, Human Behavior, indicator of compromise, information exfiltration, invasive software, IOC, IP networks, learning (artificial intelligence), machine learning, machine learning models, malicious purposes, Malware, Measurement, Metrics, Monitoring, pubcrawl, resilience, Resiliency, Scalability, Servers, tunneling |
Abstract | This paper proposes a method to detect two primary means of using the Domain Name System (DNS) for malicious purposes. We develop machine learning models to detect information exfiltration from compromised machines and the establishment of command & control (C&C) servers via tunneling. We validate our approach by experiments where we successfully detect a malware used in several recent Advanced Persistent Threat (APT) attacks [1]. The novelty of our method is its robustness, simplicity, scalability, and ease of deployment in a production environment. |
URL | http://ieeexplore.ieee.org/document/8260721/ |
DOI | 10.1109/ICMLA.2017.00-71 |
Citation Key | das_detection_2017 |
- IP networks
- tunneling
- Servers
- Scalability
- Resiliency
- resilience
- pubcrawl
- Monitoring
- Metrics
- Measurement
- malware
- malicious purposes
- machine learning models
- machine learning
- learning (artificial intelligence)
- advanced persistent threat attacks
- IOC
- invasive software
- information exfiltration
- indicator of compromise
- Human behavior
- exfiltration
- encoding
- domain name system
- DNS tunnel
- DNS
- command and control systems
- command & control servers
- C&c
- advanced persistent threats