IEEE Access (Jan 2021)

Application Behavior Identification in DNS Tunnels Based on Spatial-Temporal Information

  • Huiwen Bai,
  • Weiwei Liu,
  • Guangjie Liu,
  • Yuewei Dai,
  • Shuhua Huang

DOI
https://doi.org/10.1109/ACCESS.2021.3085500
Journal volume & issue
Vol. 9
pp. 80639 – 80653

Abstract

Read online

Due to the capability of passing through heavily censored networks or gateway equipped with the traffic-monitoring module, DNS tunnel has been the dominant covert communication technique for command and control between the victim and the attacker in network attack events. Although the discovery of DNS tunnel has been intensively studied, the internal application behavior identification for DNS tunnels still remains a challenging problem. The fine-gained identification can help to reveal more behavior information wrapped in DNS tunnels. In this study, we investigate the spatial-temporal information from the raw packets to identify the internal application behaviors in DNS tunnels. Multi-dimensional features on packet length and timing for DNS tunnels with different internal application behaviors are incorporated with a machine-learning algorithm to identify the internal application behaviors in DNS tunnels. We consider 4 common types of application behaviors in our research, including browsing webpages, emailing, downloading data, and controlling the remote servers. The experimental results show that the proposed scheme can achieve higher identification accuracy with a much lower packet consuming rate when compared with the state-of-the-art internal protocol identification scheme. The experiment results depict that our proposed scheme is better in terms of F-score, which can reach 99% with only 100 packets.

Keywords