Flow-based detection of DNS tunnels

Wendy Ellens; Piotr Zuraniewski; Harm Schotanus; Anna Sperotto; Michel Mandjes; Erik Meeuwissen

doi:10.1007/978-3-642-38998-6_16

Flow-based detection of DNS tunnels

Wendy Ellens
, Piotr Zuraniewski
, Harm Schotanus
, Anna Sperotto
, Michel Mandjes
, Erik Meeuwissen

Design and Analysis of Communication Systems

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

49 Citations (Scopus)

113 Downloads (Pure)

Abstract

DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

Original language	English
Title of host publication	Emerging Management Mechanisms for the Future Internet
Subtitle of host publication	7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, Barcelona, Spain, June 25-28, 2013, Proceedings
Editors	Guillaume Doyen, Martin Waldburger, Pavel Celeda, Anna Sperotto, Burkhard Stiller
Place of Publication	Berlin, Heidelberg
Publisher	Springer
Pages	124-135
Number of pages	12
ISBN (Electronic)	978-3-642-38998-6
ISBN (Print)	978-3-642-38997-9
DOIs	https://doi.org/10.1007/978-3-642-38998-6_16
Publication status	Published - Jun 2013
Event	7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013 - Barcelona, Spain Duration: 25 Jun 2013 → 28 Jun 2013 Conference number: 7

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer Verlag
Volume	7943
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013
Abbreviated title	AIMS 2013
Country/Territory	Spain
City	Barcelona
Period	25/06/13 → 28/06/13

Keywords

2020 OA procedure

Access to Document

10.1007/978-3-642-38998-6_16

ArticleFinal published version, 443 KBLicence: Taverne

Cite this

Ellens, W., Zuraniewski, P., Schotanus, H., Sperotto, A., Mandjes, M., & Meeuwissen, E. (2013). Flow-based detection of DNS tunnels. In G. Doyen, M. Waldburger, P. Celeda, A. Sperotto, & B. Stiller (Eds.), Emerging Management Mechanisms for the Future Internet: 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, Barcelona, Spain, June 25-28, 2013, Proceedings (pp. 124-135). (Lecture Notes in Computer Science; Vol. 7943). Springer. https://doi.org/10.1007/978-3-642-38998-6_16

Ellens, Wendy ; Zuraniewski, Piotr ; Schotanus, Harm et al. / Flow-based detection of DNS tunnels. Emerging Management Mechanisms for the Future Internet: 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, Barcelona, Spain, June 25-28, 2013, Proceedings. editor / Guillaume Doyen ; Martin Waldburger ; Pavel Celeda ; Anna Sperotto ; Burkhard Stiller. Berlin, Heidelberg : Springer, 2013. pp. 124-135 (Lecture Notes in Computer Science).

@inproceedings{ef93bf501b5b40d496519748ad41bd19,

title = "Flow-based detection of DNS tunnels",

abstract = "DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command \& control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.",

keywords = "2020 OA procedure",

author = "Wendy Ellens and Piotr Zuraniewski and Harm Schotanus and Anna Sperotto and Michel Mandjes and Erik Meeuwissen",

year = "2013",

month = jun,

doi = "10.1007/978-3-642-38998-6\_16",

language = "English",

isbn = "978-3-642-38997-9",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "124--135",

editor = "Guillaume Doyen and Martin Waldburger and Pavel Celeda and Anna Sperotto and Burkhard Stiller",

booktitle = "Emerging Management Mechanisms for the Future Internet",

address = "Germany",

note = "7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, AIMS 2013 ; Conference date: 25-06-2013 Through 28-06-2013",

}

Ellens, W, Zuraniewski, P, Schotanus, H, Sperotto, A, Mandjes, M & Meeuwissen, E 2013, Flow-based detection of DNS tunnels. in G Doyen, M Waldburger, P Celeda, A Sperotto & B Stiller (eds), Emerging Management Mechanisms for the Future Internet: 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, Barcelona, Spain, June 25-28, 2013, Proceedings. Lecture Notes in Computer Science, vol. 7943, Springer, Berlin, Heidelberg, pp. 124-135, 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, Barcelona, Spain, 25/06/13. https://doi.org/10.1007/978-3-642-38998-6_16

Flow-based detection of DNS tunnels. / Ellens, Wendy; Zuraniewski, Piotr; Schotanus, Harm et al.
Emerging Management Mechanisms for the Future Internet: 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, Barcelona, Spain, June 25-28, 2013, Proceedings. ed. / Guillaume Doyen; Martin Waldburger; Pavel Celeda; Anna Sperotto; Burkhard Stiller. Berlin, Heidelberg: Springer, 2013. p. 124-135 (Lecture Notes in Computer Science; Vol. 7943).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Flow-based detection of DNS tunnels

AU - Ellens, Wendy

AU - Zuraniewski, Piotr

AU - Schotanus, Harm

AU - Sperotto, Anna

AU - Mandjes, Michel

AU - Meeuwissen, Erik

N1 - Conference code: 7

PY - 2013/6

Y1 - 2013/6

N2 - DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

AB - DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

KW - 2020 OA procedure

U2 - 10.1007/978-3-642-38998-6_16

DO - 10.1007/978-3-642-38998-6_16

M3 - Conference contribution

SN - 978-3-642-38997-9

T3 - Lecture Notes in Computer Science

SP - 124

EP - 135

BT - Emerging Management Mechanisms for the Future Internet

A2 - Doyen, Guillaume

A2 - Waldburger, Martin

A2 - Celeda, Pavel

A2 - Sperotto, Anna

A2 - Stiller, Burkhard

PB - Springer

CY - Berlin, Heidelberg

T2 - 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013

Y2 - 25 June 2013 through 28 June 2013

ER -

Ellens W, Zuraniewski P, Schotanus H, Sperotto A, Mandjes M, Meeuwissen E. Flow-based detection of DNS tunnels. In Doyen G, Waldburger M, Celeda P, Sperotto A, Stiller B, editors, Emerging Management Mechanisms for the Future Internet: 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, Barcelona, Spain, June 25-28, 2013, Proceedings. Berlin, Heidelberg: Springer. 2013. p. 124-135. (Lecture Notes in Computer Science). doi: 10.1007/978-3-642-38998-6_16

Flow-based detection of DNS tunnels

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this