Visible to the public Detection of Exfiltration and Tunneling over DNS

TitleDetection of Exfiltration and Tunneling over DNS
Publication TypeConference Paper
Year of Publication2017
AuthorsDas, A., Shen, M. Y., Shashanka, M., Wang, J.
Conference Name2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA)
Keywordsadvanced persistent threat attacks, advanced persistent threats, C&c, command & control servers, command and control systems, DNS, DNS tunnel, domain name system, encoding, exfiltration, Human Behavior, indicator of compromise, information exfiltration, invasive software, IOC, IP networks, learning (artificial intelligence), machine learning, machine learning models, malicious purposes, Malware, Measurement, Metrics, Monitoring, pubcrawl, resilience, Resiliency, Scalability, Servers, tunneling

This paper proposes a method to detect two primary means of using the Domain Name System (DNS) for malicious purposes. We develop machine learning models to detect information exfiltration from compromised machines and the establishment of command & control (C&C) servers via tunneling. We validate our approach by experiments where we successfully detect a malware used in several recent Advanced Persistent Threat (APT) attacks [1]. The novelty of our method is its robustness, simplicity, scalability, and ease of deployment in a production environment.

Citation Keydas_detection_2017