Detecting DNS-based covert channel on live traffic

Si-yu ZHANG; Fu-tai1 ZOU; Lu-hua WANG; Ming CHEN

Tongxin xuebao (May 2013)

Detecting DNS-based covert channel on live traffic

Si-yu ZHANG,
Fu-tai1 ZOU,
Lu-hua WANG,
Ming CHEN

Affiliations

Si-yu ZHANG
Fu-tai1 ZOU
Lu-hua WANG
Ming CHEN

Journal volume & issue: Vol. 34
pp. 143 – 151

Abstract

Read online

To propose an effective detection method for DNS-based covert channel,traffic characteristics were thor-oughly studied.12 features were extracted from DNS packets to distinguish covert channels from legitimate DNS queries.Statistical characteristics of these features are used as input of the machine learning classifier.Experimental results show that the decision tree model detects all 22 covert channels used in training,and is capable of detecting untrained covert channels.Several DNS tunnels were detected during the evaluation on campus network's live DNS traffic.

domain name system;covert channel;intrusion detection;machine learning;network security

Published in Tongxin xuebao

ISSN: 1000-436X (Print)
Publisher: Editorial Department of Journal on Communications
Country of publisher: China
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Telecommunication
Website: http://www.infocomm-journal.com/txxb/EN/1000-436X/home.shtml

About the journal

Abstract

Keywords