Flow-based detection of DNS tunnels

W. Ellens, P. Zuraniewski, H. Schotanus, M.R.H. Mandjes, E. Meeuwissen

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

16 Citations (Scopus)
84 Downloads (Pure)

Abstract

DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.
Original languageUndefined
Title of host publicationProceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013
EditorsGuillaume Doyen, Martin Waldburger, Pavel Celeda, Anna Sperotto, Burkhard Stiller
Place of PublicationBerlin
PublisherSpringer
Pages124-135
Number of pages12
ISBN (Print)978-3-642-38997-9
DOIs
Publication statusPublished - Jun 2013

Publication series

NameLecture Notes in Computer Science
PublisherSpringer Verlag
Volume7943
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Keywords

  • METIS-297734
  • IR-86797
  • EWI-23518

Cite this

Ellens, W., Zuraniewski, P., Schotanus, H., Mandjes, M. R. H., & Meeuwissen, E. (2013). Flow-based detection of DNS tunnels. In G. Doyen, M. Waldburger, P. Celeda, A. Sperotto, & B. Stiller (Eds.), Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013 (pp. 124-135). (Lecture Notes in Computer Science; Vol. 7943). Berlin: Springer. https://doi.org/10.1007/978-3-642-38998-6_16
Ellens, W. ; Zuraniewski, P. ; Schotanus, H. ; Mandjes, M.R.H. ; Meeuwissen, E. / Flow-based detection of DNS tunnels. Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013. editor / Guillaume Doyen ; Martin Waldburger ; Pavel Celeda ; Anna Sperotto ; Burkhard Stiller. Berlin : Springer, 2013. pp. 124-135 (Lecture Notes in Computer Science).
@inproceedings{ef93bf501b5b40d496519748ad41bd19,
title = "Flow-based detection of DNS tunnels",
abstract = "DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.",
keywords = "METIS-297734, IR-86797, EWI-23518",
author = "W. Ellens and P. Zuraniewski and H. Schotanus and M.R.H. Mandjes and E. Meeuwissen",
note = "10.1007/978-3-642-38998-6_16",
year = "2013",
month = "6",
doi = "10.1007/978-3-642-38998-6_16",
language = "Undefined",
isbn = "978-3-642-38997-9",
series = "Lecture Notes in Computer Science",
publisher = "Springer",
pages = "124--135",
editor = "Guillaume Doyen and Martin Waldburger and Pavel Celeda and Anna Sperotto and Burkhard Stiller",
booktitle = "Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013",

}

Ellens, W, Zuraniewski, P, Schotanus, H, Mandjes, MRH & Meeuwissen, E 2013, Flow-based detection of DNS tunnels. in G Doyen, M Waldburger, P Celeda, A Sperotto & B Stiller (eds), Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013. Lecture Notes in Computer Science, vol. 7943, Springer, Berlin, pp. 124-135. https://doi.org/10.1007/978-3-642-38998-6_16

Flow-based detection of DNS tunnels. / Ellens, W.; Zuraniewski, P.; Schotanus, H.; Mandjes, M.R.H.; Meeuwissen, E.

Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013. ed. / Guillaume Doyen; Martin Waldburger; Pavel Celeda; Anna Sperotto; Burkhard Stiller. Berlin : Springer, 2013. p. 124-135 (Lecture Notes in Computer Science; Vol. 7943).

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Flow-based detection of DNS tunnels

AU - Ellens, W.

AU - Zuraniewski, P.

AU - Schotanus, H.

AU - Mandjes, M.R.H.

AU - Meeuwissen, E.

N1 - 10.1007/978-3-642-38998-6_16

PY - 2013/6

Y1 - 2013/6

N2 - DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

AB - DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

KW - METIS-297734

KW - IR-86797

KW - EWI-23518

U2 - 10.1007/978-3-642-38998-6_16

DO - 10.1007/978-3-642-38998-6_16

M3 - Conference contribution

SN - 978-3-642-38997-9

T3 - Lecture Notes in Computer Science

SP - 124

EP - 135

BT - Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013

A2 - Doyen, Guillaume

A2 - Waldburger, Martin

A2 - Celeda, Pavel

A2 - Sperotto, Anna

A2 - Stiller, Burkhard

PB - Springer

CY - Berlin

ER -

Ellens W, Zuraniewski P, Schotanus H, Mandjes MRH, Meeuwissen E. Flow-based detection of DNS tunnels. In Doyen G, Waldburger M, Celeda P, Sperotto A, Stiller B, editors, Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013. Berlin: Springer. 2013. p. 124-135. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-642-38998-6_16