Visible to the public Detection of Tunnels in PCAP Data by Random Forests

TitleDetection of Tunnels in PCAP Data by Random Forests
Publication TypeConference Paper
Year of Publication2016
AuthorsBuczak, Anna L., Hanke, Paul A., Cancro, George J., Toma, Michael K., Watkins, Lanier A., Chavis, Jeffrey S.
Conference NameProceedings of the 11th Annual Cyber and Information Security Research Conference
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-3752-6
Keywordscomposability, Cyber Attacks, machine learning, privacy, pubcrawl, random forests, Resiliency, tunneling

This paper describes an approach for detecting the presence of domain name system (DNS) tunnels in network traffic. DNS tunneling is a common technique hackers use to establish command and control nodes and to exfiltrate data from networks. To generate the training data sufficient to build models to detect DNS tunneling activity, a penetration testing effort was employed. We extracted features from this data and trained random forest classifiers to distinguish normal DNS activity from tunneling activity. The classifiers successfully detected the presence of tunnels we trained on, and four other types of tunnels that were not a part of the training set.

Citation Keybuczak_detection_2016