Visualization of DNS Tunneling Attacks Using Parallel Coordinates Technique

  • Yasir F. MohammedEmail author
  • Dale R. Thompson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11611)


The Domain Name System (DNS) is considered one of the most critical protocols on the Internet. The DNS translates readable domain names into Internet Protocol (IP) addresses and vice-versa. The DNS tunneling attack uses DNS to create a covert channel for bypassing the firewall and performing command and control functions from within a compromised network or to transfer data to and from the network. There is work for detecting attacks that use DNS but little work focusing on the DNS tunneling attack. In this work, we introduce a fast and scalable approach, using the parallel coordinates technique, visualizing a malicious DNS tunneling attack within the large amount of network traffic. The DNS tunneling attack was performed in order to study the differences between the normal and the malicious traffic. Based on different scenarios, four different DNS tunneling graphical patterns were defined for distinguishing between normal DNS traffic and malicious traffic containing DNS tunneling attacks. Finally, the proposed system was able to visualize the DNS tunneling attack efficiently for the future work of creating an efficient detection system.


DNS Internet attacks Tunneling attacks DNS Tunneling Parallel coordinates technique Visualization 



This material is based upon work funded by Republic of Iraq Ministry of Higher Education and Scientific Research (MOHESR).


  1. 1.
    The Go programming language. Accessed 06 Feb 2019
  2. 2.
    Panda - python data analysis library. Accessed 06 Nov 2018
  3. 3.
    The R project for statistical computing. Accessed 06 Nov 2018
  4. 4.
    Born, K., Gustafson, D.: NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research - CSIIRW 2010 (2010).
  5. 5.
    Choi, H., Lee, H., Kim, H.: Fast detection and visualization of network attacks on parallel coordinates. Comput. Secur. (2009). Scholar
  6. 6.
    Cuzzocrea, A., Zall, D.: Parallel coordinates technique in visual data mining: advantages, disadvantages and combinations. In: 2013 17th International Conference on Information Visualisation, pp. 278–284, July 2013.
  7. 7.
    Das, A., Shen, M.Y., Shashanka, M., Wang, J.: Detection of exfiltration and tunneling over DNS. In: Proceedings - 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017 (2018).
  8. 8.
    Farnham, G., Atlasis, A.: Detecting DNS Tunneling Detecting DNS Tunneling GIAC (GCIA) Gold Certification Detecting DNS Tunneling 2. (2013)Google Scholar
  9. 9.
    Green, A.: DNSMessenger: 2017’s most beloved remote access Trojan (Rat), December 2017.
  10. 10.
    Grunzweig, J., Scott, M., Lee, B.: New wekby attacks use DNS requests as command and control mechanism, May 2016.
  11. 11.
    Incapsula, I.: DNS flood (2017). Accessed 06 Feb 2019
  12. 12.
    Kim, I., Choi, H., Lee, H.: BotXrayer: exposing botnets by visualizing DNS traffic. In: KSII the First International Conference on Internet (ICONI) (2009)Google Scholar
  13. 13.
    Liu, J., Li, S., Zhang, Y., Xiao, J., Chang, P., Peng, C.: Detecting DNS tunnel through binary-classification based on behavior features. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 339–346, August 2017.
  14. 14.
    Revelli, A., Leidecker, N.: Introducing heyoka: DNS tunneling 2.0 (2009). Accessed 07 Feb 2019
  15. 15.
    Satam, P., Alipour, H., Al-Nashif, Y., Hariri, S.: DNS-IDS: securing DNS in the cloud era. In: 2015 International Conference on Cloud and Autonomic Computing, pp. 296–301, September 2015.
  16. 16.
    Steve Jaworski, R.W.: Using splunk to detect DNS tunneling. Technical report (2016). Scholar
  17. 17.
    Verisign: Framework for resilient DNS security (2018). Accessed 01 Aug 2018
  18. 18.
    Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: M. Hämmerli, B., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129–139. Springer, Heidelberg (2007). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer Science and Computer EngineeringUniversity of ArkansasFayettevilleUSA

Personalised recommendations