Flow-based detection of DNS tunnels

W. Ellens; P. Zuraniewski; H. Schotanus; M.R.H. Mandjes; E. Meeuwissen

doi:10.1007/978-3-642-38998-6_16

Flow-based detection of DNS tunnels

W. Ellens, P. Zuraniewski, H. Schotanus, M.R.H. Mandjes, E. Meeuwissen

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

48 Citations (Scopus)

142 Downloads (Pure)

Abstract

DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

Original language	Undefined
Title of host publication	Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013
Editors	Guillaume Doyen, Martin Waldburger, Pavel Celeda, Anna Sperotto, Burkhard Stiller
Place of Publication	Berlin
Publisher	Springer
Pages	124-135
Number of pages	12
ISBN (Print)	978-3-642-38997-9
DOIs	https://doi.org/10.1007/978-3-642-38998-6_16
Publication status	Published - Jun 2013
Event	7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013 - Barcelona, Spain Duration: 25 Jun 2013 → 28 Jun 2013 Conference number: 7

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer Verlag
Volume	7943
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013
Abbreviated title	AIMS 2013
Country/Territory	Spain
City	Barcelona
Period	25/06/13 → 28/06/13

Keywords

METIS-297734
IR-86797
EWI-23518

Access to Document

10.1007/978-3-642-38998-6_16

10.1007_978-3-642-38998-6_16

Cite this

Ellens, W., Zuraniewski, P., Schotanus, H., Mandjes, M. R. H., & Meeuwissen, E. (2013). Flow-based detection of DNS tunnels. In G. Doyen, M. Waldburger, P. Celeda, A. Sperotto, & B. Stiller (Eds.), Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013 (pp. 124-135). (Lecture Notes in Computer Science; Vol. 7943). Springer. https://doi.org/10.1007/978-3-642-38998-6_16

Ellens, W. ; Zuraniewski, P. ; Schotanus, H. et al. / Flow-based detection of DNS tunnels. Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013. editor / Guillaume Doyen ; Martin Waldburger ; Pavel Celeda ; Anna Sperotto ; Burkhard Stiller. Berlin : Springer, 2013. pp. 124-135 (Lecture Notes in Computer Science).

@inproceedings{ef93bf501b5b40d496519748ad41bd19,

title = "Flow-based detection of DNS tunnels",

abstract = "DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.",

keywords = "METIS-297734, IR-86797, EWI-23518",

author = "W. Ellens and P. Zuraniewski and H. Schotanus and M.R.H. Mandjes and E. Meeuwissen",

note = "10.1007/978-3-642-38998-6_16 ; 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013 ; Conference date: 25-06-2013 Through 28-06-2013",

year = "2013",

month = jun,

doi = "10.1007/978-3-642-38998-6_16",

language = "Undefined",

isbn = "978-3-642-38997-9",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "124--135",

editor = "Guillaume Doyen and Martin Waldburger and Pavel Celeda and Anna Sperotto and Burkhard Stiller",

booktitle = "Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013",

address = "Germany",

}

Ellens, W, Zuraniewski, P, Schotanus, H, Mandjes, MRH & Meeuwissen, E 2013, Flow-based detection of DNS tunnels. in G Doyen, M Waldburger, P Celeda, A Sperotto & B Stiller (eds), Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013. Lecture Notes in Computer Science, vol. 7943, Springer, Berlin, pp. 124-135, 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, Barcelona, Spain, 25/06/13. https://doi.org/10.1007/978-3-642-38998-6_16

Flow-based detection of DNS tunnels. / Ellens, W.; Zuraniewski, P.; Schotanus, H. et al.
Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013. ed. / Guillaume Doyen; Martin Waldburger; Pavel Celeda; Anna Sperotto; Burkhard Stiller. Berlin: Springer, 2013. p. 124-135 (Lecture Notes in Computer Science; Vol. 7943).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Flow-based detection of DNS tunnels

AU - Ellens, W.

AU - Zuraniewski, P.

AU - Schotanus, H.

AU - Mandjes, M.R.H.

AU - Meeuwissen, E.

N1 - Conference code: 7

PY - 2013/6

Y1 - 2013/6

N2 - DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

AB - DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

KW - METIS-297734

KW - IR-86797

KW - EWI-23518

U2 - 10.1007/978-3-642-38998-6_16

DO - 10.1007/978-3-642-38998-6_16

M3 - Conference contribution

SN - 978-3-642-38997-9

T3 - Lecture Notes in Computer Science

SP - 124

EP - 135

BT - Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013

A2 - Doyen, Guillaume

A2 - Waldburger, Martin

A2 - Celeda, Pavel

A2 - Sperotto, Anna

A2 - Stiller, Burkhard

PB - Springer

CY - Berlin

T2 - 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013

Y2 - 25 June 2013 through 28 June 2013

ER -

Ellens W, Zuraniewski P, Schotanus H, Mandjes MRH, Meeuwissen E. Flow-based detection of DNS tunnels. In Doyen G, Waldburger M, Celeda P, Sperotto A, Stiller B, editors, Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013. Berlin: Springer. 2013. p. 124-135. (Lecture Notes in Computer Science). doi: 10.1007/978-3-642-38998-6_16