Skip to main content
SpringerLink
Log in
Book cover

International Joint Conference SOCO’14-CISIS’14-ICEUTE’14 pp 463–472Cite as

Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection

  • Conference paper

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 299))

Abstract

The use of covert-channel methods to bypass security policies has increasing in the last years. Malicious users neutralize security restriction encapsulating protocols like peer-to-peer, chat or http proxy into other allowed protocols like DNS or HTTP. This paper illustrates different approaches to detect one particular covert channel technique: DNS tunneling.

Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. A performance evaluation shows the best approach to reach good results by resorting to a unique classification scheme, applicable in the presence of different tunnelled applications.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Dusi, M., Crotti, M., Gringoli, F., Salgarelli, L.: Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting. Computer Networks 53(1), 81–97 (2009)

    Article  Google Scholar 

  2. Merlo, A., Papaleo, G., Veneziano, S., Aiello, M.: A comparative performance evaluation of dns tunneling tools. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 84–91. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  3. Li, W., Canini, M., Moore, A.W., Bolla, R.: Efficient application identification and the temporal and spatial stability of classification schema. Elsevier Computer Network, 790–809 (2009)

    Google Scholar 

  4. Williams, N., Zander, S., Armitage, G.: A preliminary performance comparison of five machine learning algorithms for practical ip traffic flow classification. SIGCOMM Comput. Commun. Rev. 36(5), 5–16 (2006)

    Article  Google Scholar 

  5. Moore, A.W., Zuev, D.: Internet traffic classification using bayesian analysis techniques. SIGMETRICS Perform. Eval. Rev. 33(1), 50–60 (2005)

    Article  Google Scholar 

  6. Herrero, A., Navarro, M., Corchado, E., Julin, V.: Rt-movicab-ids: Addressing real-time intrusion detection. Future Generation Computer Systems 29(1), 250–261 (2013), Including Special section: AIRCC-NetCoM 2009 and Special section: Clouds and Service-Oriented Architectures

    Google Scholar 

  7. Aiello, M., Mongelli, M., Papaleo, G.: Basic classifiers for dns tunneling detection. In: 2013 IEEE Symposium on Computers and Communications (ISCC), pp. 000880–000885 (July 2013)

    Google Scholar 

  8. Kim, H., Huh, J.: Detecting dns-poisoning-based phishing attacks from their network performance characteristics. Electronics Letters 47(11), 656–658 (2011)

    Article  Google Scholar 

  9. Brown, G.: Ensemble learning tutorial, http://www.cs.man.ac.uk/~gbrown/ensemblebib/tutorials.php (accessed in 2014)

  10. Kuncheva, L.I., Whitaker, C.J., Duin, R.P.W.: Limits on the majority vote accuracy in classifier fusion. Pattern Analysis and Applications 6, 22–31 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  11. Wessels, D., et al.: Squid proxy, http://www.squid-cache.org (accessed in 2014)

  12. Dembour, O., Collignon, N.: Dns2tcp tool, www.hsc.fr/ressources/outils/dns2tcp/index.html.en (accessed in 2014)

  13. Kryo: Iodine tool, http://ip-dns.info (accessed in 2014)

  14. Born, K., Gustafson, D.: Detecting dns tunnels using character frequency analysis. arXiv preprint arXiv:1004.4358 (2010)

    Google Scholar 

  15. Burghouwt, P., Spruit, M., Sips, H.: Detection of botnet collusion by degree distribution of domains. In: ICITST 2010. IEEE Press (November 2010)

    Google Scholar 

  16. Karasaridis, A., Meier-Hellstern, K.S., Hoeflin, D.A.: Detection of dns anomalies using flow data analysis. In: GLOBECOM. IEEE (2006)

    Google Scholar 

  17. Alshammari, R., Zincir-Heywood, A.N.: Can encrypted traffic be identified without port numbers, ip addresses and payload inspection? Computer Networks 55(6), 1326–1350 (2011)

    Article  Google Scholar 

  18. Hind, J.: Catching dns tunnels with a.i. In: Proceedings of DefCon, vol. 17 (August 2009)

    Google Scholar 

  19. Oberheide, J., Karir, M., Mao, Z.M.: Characterizing dark DNS behavior. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 140–156. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  20. Klotz, J., et al.: Statistical inference in bernoulli trials with dependence. The Annals of Statistics 1(2), 373–379 (1973)

    Article  MATH  MathSciNet  Google Scholar 

  21. Herrero, A., Zurutuza, U., Corchado, E.: A neural-visualization ids for honeynet data. International Journal of Neural Systems 22(2) (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Electronics, Computer and Telecommunication Engineering, National Research Council of Italy, Genova, 16143, Italy

    Maurizio Aiello, Maurizio Mongelli & Gianluca Papaleo

Authors
  1. Maurizio Aiello
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maurizio Mongelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gianluca Papaleo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maurizio Aiello .

Editor information

Editors and Affiliations

  1. DeustoTech Computing, University of Deusto, Bilbao, Spain

    José Gaviria de la Puerta

  2. DeustoTech Computing, University of Deusto, Bilbao, Spain

    Iván García Ferreira

  3. DeustoTech Computing, University of Deusto, Bilbao, Spain

    Pablo Garcia Bringas

  4. German Workforce ADL Partnership Laboratory, Waltershausen, Germany

    Fanny Klett

  5. Scientific Network for Innovation and Research Excellence, Machine Intelligence Research Labs (MIR Labs), Washington, USA

    Ajith Abraham

  6. Department of Computer Science, University of Sao Paulo at Sao Carlos, Sao Carlos, Brazil

    André C.P.L.F. de Carvalho

  7. Department of Civil Engineering Escuela Politénica Superior, University of Burgos, Burgos, Spain

    Álvaro Herrero

  8. Department of Civil Engineering Escuela Politénica Superior, University of Burgos, Burgos, Spain

    Bruno Baruque

  9. Departamento de Enxeñeria Industrial, Escuela Universitaria Politécnica, University of Salamanca, Salamanca, Spain and University of Coruña, La Coruña, Spain

    Héctor Quintián

  10. University of Salamanca, Salamanca, Spain

    Emilio Corchado

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Aiello, M., Mongelli, M., Papaleo, G. (2014). Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection. In: de la Puerta, J., et al. International Joint Conference SOCO’14-CISIS’14-ICEUTE’14. Advances in Intelligent Systems and Computing, vol 299. Springer, Cham. https://doi.org/10.1007/978-3-319-07995-0_46

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-07995-0_46

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-07994-3

  • Online ISBN: 978-3-319-07995-0

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation