Flow-based detection of DNS tunnels

W. Ellens, P. Zuraniewski, H. Schotanus, M.R.H. Mandjes, E. Meeuwissen

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    16 Citations (Scopus)
    89 Downloads (Pure)

    Abstract

    DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.
    Original languageUndefined
    Title of host publicationProceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013
    EditorsGuillaume Doyen, Martin Waldburger, Pavel Celeda, Anna Sperotto, Burkhard Stiller
    Place of PublicationBerlin
    PublisherSpringer
    Pages124-135
    Number of pages12
    ISBN (Print)978-3-642-38997-9
    DOIs
    Publication statusPublished - Jun 2013

    Publication series

    NameLecture Notes in Computer Science
    PublisherSpringer Verlag
    Volume7943
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Keywords

    • METIS-297734
    • IR-86797
    • EWI-23518

    Cite this

    Ellens, W., Zuraniewski, P., Schotanus, H., Mandjes, M. R. H., & Meeuwissen, E. (2013). Flow-based detection of DNS tunnels. In G. Doyen, M. Waldburger, P. Celeda, A. Sperotto, & B. Stiller (Eds.), Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013 (pp. 124-135). (Lecture Notes in Computer Science; Vol. 7943). Berlin: Springer. https://doi.org/10.1007/978-3-642-38998-6_16