CYENS Centre of Excellence
Published April 9, 2020 | Version Accepted pre-print
Conference paper Open

Cache-Property-Aware Features for DNS Tunneling Detection

Creators

  • 1. Osaka Prefecture University, Japan
  • 2. Corpy & Co., Japan
  • 3. Research Centre on Interactive Media, Smart Systems and Emerging Technologies (RISE), Cyprus

Description

A lot of enterprises are under threat of targeted attacks causing data exfiltration. As a means of performing
the attacks, attackers and their malware have exploited DNS tunneling in recent years. Although there are many research
efforts to detect DNS tunneling, the previously proposed methods rely on features that the malicious entities can easily obfuscate
by mimicking legitimate ones. Therefore, this obfuscation would result in data leakage. In order to mitigate this issue, we focus on
a trace of DNS tunneling, which cannot be easily hidden. In the context of DNS data exfiltration, malware connects directly to the
DNS cache server, and a DNS tunneling query produces a cache miss with absolute certainty. In this work, we propose features
derived from this cache property. Our extensive experiments show that one of the proposed features can clearly distinguish
DNS tunneling traffic, which makes it useful to design and implement a solid DNS firewall against DNS tunneling.

Notes

This work has received funding from the European Union's Horizon 2020 Research and Innovation Programme under Grant Agreement No 739578 and the Government of the Republic of Cyprus through the Directorate General for European Programmes, Coordination and Development.

Files

Ishikura_et_al_ICIN2020.pdf

Files (517.0 kB)

Name Size Download all
md5:5659ffc9a9ed64e77976f2469e1a5842
517.0 kB Preview Download

Additional details

Funding

RISE – Research Center on Interactive Media, Smart System and Emerging Technologies 739578
European Commission