Abstract
| Original language | Undefined |
|---|---|
| Title of host publication | Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013 |
| Editors | Guillaume Doyen, Martin Waldburger, Pavel Celeda, Anna Sperotto, Burkhard Stiller |
| Place of Publication | Berlin |
| Publisher | Springer |
| Pages | 124-135 |
| Number of pages | 12 |
| ISBN (Print) | 978-3-642-38997-9 |
| DOIs | |
| Publication status | Published - Jun 2013 |
Publication series
| Name | Lecture Notes in Computer Science |
|---|---|
| Publisher | Springer Verlag |
| Volume | 7943 |
| ISSN (Print) | 0302-9743 |
| ISSN (Electronic) | 1611-3349 |
Keywords
- METIS-297734
- IR-86797
- EWI-23518
Cite this
}
Flow-based detection of DNS tunnels. / Ellens, W.; Zuraniewski, P.; Schotanus, H.; Mandjes, M.R.H.; Meeuwissen, E.
Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013. ed. / Guillaume Doyen; Martin Waldburger; Pavel Celeda; Anna Sperotto; Burkhard Stiller. Berlin : Springer, 2013. p. 124-135 (Lecture Notes in Computer Science; Vol. 7943).Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review
TY - GEN
T1 - Flow-based detection of DNS tunnels
AU - Ellens, W.
AU - Zuraniewski, P.
AU - Schotanus, H.
AU - Mandjes, M.R.H.
AU - Meeuwissen, E.
N1 - 10.1007/978-3-642-38998-6_16
PY - 2013/6
Y1 - 2013/6
N2 - DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.
AB - DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.
KW - METIS-297734
KW - IR-86797
KW - EWI-23518
U2 - 10.1007/978-3-642-38998-6_16
DO - 10.1007/978-3-642-38998-6_16
M3 - Conference contribution
SN - 978-3-642-38997-9
T3 - Lecture Notes in Computer Science
SP - 124
EP - 135
BT - Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013
A2 - Doyen, Guillaume
A2 - Waldburger, Martin
A2 - Celeda, Pavel
A2 - Sperotto, Anna
A2 - Stiller, Burkhard
PB - Springer
CY - Berlin
ER -