Advances in Distributed Computing and Artificial Intelligence Journal (Oct 2021)

Advance Approach for Detection of DNS Tunneling Attack from Network Packets Using Deep Learning Algorithms

  • Dr. Gopal Sakarkar,
  • Mahesh Kumar H Kolekar,
  • Ketan Paithankar,
  • Gaurav Patil Gaurav,
  • Prateek Dutta,
  • Ruchi Chaturvedi,
  • Shivam Kumar

DOI
https://doi.org/10.14201/ADCAIJ2021103241266
Journal volume & issue
Vol. 10, no. 3
pp. 241 – 266

Abstract

Read online

Domain Name System (DNS) is a protocol for converting numeric IP addresses of websites into a human-readable form. With the development of technology, to transfer information, a method like DNS tunneling is used which includes data encryption into DNS queries. The ability of the DNS tunneling method of transferring data attracts attackers to establish bidirectional communication with machines infected with malwares. This can lead to sending instructions in an obfuscated way or can lead to data exfiltration. Since firewalls and intrusion detection systems detect only specific types of tunneling, were as the Machine Learning Algorithms can analyze and predict based on previous data provided to it, it is being adopted by researchers to detect and predict the occurrence of DNS Tunneling. The identification of anomalies in Network packets can be done by using Natural Language Processing (NLP) technique. The experimental test accuracy showed that the feature extraction method in NLP for detecting DNS tunneling in network packets was found to be 98.42% on the generated Dataset. This paper makes a comparative study of 1 Dimensional Convolution Neural Network (1-D CNN), Simple Recurrent Neural Network (Simple RNN), Long Short-Term Memory (LSTM) algorithm, Gated Recurrent Unit (GRU) algorithm for detecting DNS Tunneling over the generated dataset. To detect this threat of DNS tunneling attack, good quality of the dataset is required. This paper also proposes the generation of a good quality dataset that contains network packets, by the recreation of DNS Tunneling attack using tool dnscat2.

Keywords