Skip to main content
SpringerLink
Log in

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

  • Conference paper
  • First Online:
Book cover Internet of Things, Smart Spaces, and Next Generation Networks and Systems (ruSMART 2017, NsCC 2017, NEW2AN 2017)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10531))

Abstract

Domain Name System (DNS) plays an important role as a translation protocol in everyday use of the Internet. The purpose of DNS is to translate domain names into IP addresses and vice versa. However, its simple architecture can easily be misused for malicious activities. One huge security threat concerning DNS is tunneling, which helps attackers bypass the security systems unnoticed. A DNS tunnel can be used for three purposes: as a command and control channel, for data exfiltration or even for tunneling another protocol through it. In this paper, we surveyed different techniques for DNS tunneling detection. We classified those first based on the type of data and then within the categories based on the type of analysis. We conclude with a comparison between the various detection techniques. We introduce one real Advanced Persistent Threat campaign that utilizes DNS tunneling, and theoretically compare how well the surveyed detection techniques could detect it.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Farnham, G., Atlasis, A.: Detecting DNS tunneling. SANS Institute InfoSec Reading Room, pp. 1–32 (2013)

    Google Scholar 

  2. Ellens, W., Żuraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E.: Flow-based detection of DNS tunnels. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds.) AIMS 2013. LNCS, vol. 7943, pp. 124–135. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38998-6_16

    Chapter  Google Scholar 

  3. Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

  4. New Wekby attacks use DNS requests as command and control mechanism (2016). http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

  5. Chinese cyber espionage APT group leveraging recently leaked hacking team exploits to target a financial services firm. https://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm

  6. Karasaridis, A., Meier-Hellstern, K., Hoeflin, D.: NIS04-2: detection of DNS anomalies using flow data analysis. In: IEEE Global Telecommunications Conference, GLOBECOM 2006, pp. 1–6 (2006)

    Google Scholar 

  7. Copeland III, J.A.: Flow-based detection of network intrusions (2007). http://www.google.com/patents/US7185368

  8. Brodsky, E., Darkhovsky, B.S.: Nonparametric Methods in Change Point Problems. Springer Science & Business Media, Heidelberg (2013)

    MATH  Google Scholar 

  9. Marchal, S., François, J., Wagner, C., State, R., Dulaunoy, A., Engel, T., Festor, O.: DNSSM: a large scale passive DNS security monitoring framework. In: 2012 IEEE Network Operations and Management Symposium (NOMS), pp. 988–993. IEEE (2012)

    Google Scholar 

  10. Hartigan, J.A., Wong, M.A.: Algorithm AS 136: a K-means clustering algorithm. J. R. Stat. Soc. Ser. C Appl. Stat. 28, 100–108 (1979)

    MATH  Google Scholar 

  11. Aiello, M., Mongelli, M., Papaleo, G.: Basic classifiers for DNS tunneling detection. In: 2013 IEEE Symposium on Computers and Communications (ISCC), pp. 880–885 (2013)

    Google Scholar 

  12. Aiello, M., Mongelli, M., Papaleo, G.: DNS tunneling detection through statistical fingerprints of protocol messages and machine learning. Int. J. Commun. Syst. 28, 1987–2002 (2015)

    Article  Google Scholar 

  13. HSC - Tools - Dns2tcp. http://www.hsc.fr/ressources/outils/dns2tcp/

  14. Moore, A.W., Zuev, D.: Internet traffic classification using Bayesian analysis techniques. In: Proceedings of the 2005 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pp. 50–60. ACM, New York (2005)

    Google Scholar 

  15. Cover, T., Hart, P.: Nearest neighbor pattern classification. IEEE Trans. Inf. Theory 13, 21–27 (1967)

    Article  MATH  Google Scholar 

  16. Ripley, B.D.: Pattern Recognition and Neural Networks. Cambridge University Press, Cambridge (2007)

    MATH  Google Scholar 

  17. Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20, 273–297 (1995)

    MATH  Google Scholar 

  18. Satam, P., Alipour, H., Al-Nashif, Y., Hariri, S.: Anomaly behavior analysis of DNS protocol. J. Internet Serv. Inf. Secur. JISIS 5, 85–97 (2015)

    Google Scholar 

  19. Breiman, L.: Bagging predictors. Mach. Learn. 24, 123–140 (1996)

    MATH  Google Scholar 

  20. Bramer, M.: Principles of Data Mining. Springer, London (2007)

    MATH  Google Scholar 

  21. Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis (2010). arXiv:1004.4358[cs]

  22. Born, K., Gustafson, D.: NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, pp. 47:1–47:4. ACM, New York (2010)

    Google Scholar 

  23. Zipf, G.K.: Selected Studies of the Principle of Relative Frequencies of Language. Harvard University, Cambridge (1932)

    Book  Google Scholar 

  24. kryo.se: iodine (IP-over-DNS, IPv4 over DNS tunnel). http://code.kryo.se/iodine/

  25. TCP-over-DNS tunnel software HOWTO. http://analogbit.com/2008/07/27/tcp-over-dns-tunnel-software-howto/

  26. Qi, C., Chen, X., Xu, C., Shi, J., Liu, P.: A bigram based real time DNS tunnel detection approach. Procedia Comput. Sci. 17, 852–860 (2013)

    Article  Google Scholar 

  27. DNScat. http://tadek.pietraszek.org/projects/DNScat/

  28. Binsalleeh, H., Kara, A.M., Youssef, A., Debbabi, M.: Characterization of covert channels in DNS. In: 2014 6th International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5 (2014)

    Google Scholar 

  29. Kara, A.M., Binsalleeh, H., Mannan, M., Youssef, A., Debbabi, M.: Detection of malicious payload distribution channels in DNS. In: 2014 IEEE International Conference on Communications (ICC), pp. 853–858 (2014)

    Google Scholar 

  30. Cejka, T., Rosa, Z., Kubatova, H.: Stream-wise detection of surreptitious traffic over DNS. In: 2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), pp. 300–304 (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Jyväskylä, P.O. Box 35, FI-40014, Jyväskylä, Finland

    Viivi Nuojua, Gil David & Timo Hämäläinen

Authors
  1. Viivi Nuojua
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gil David
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Timo Hämäläinen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Viivi Nuojua .

Editor information

Editors and Affiliations

  1. Electronics and Communication Engineering, Tampere University of Technology, Tampere, Finland

    Olga Galinina

  2. Electronics and Communication Engineering, Tampere University of Technology, Tampere, Finland

    Sergey Andreev

  3. FRUCT Oy, Helsinki, Finland

    Sergey Balandin

  4. Tampere University of Technology, Tampere, Finland

    Yevgeni Koucheryavy

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Nuojua, V., David, G., Hämäläinen, T. (2017). DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign. In: Galinina, O., Andreev, S., Balandin, S., Koucheryavy, Y. (eds) Internet of Things, Smart Spaces, and Next Generation Networks and Systems. ruSMART NsCC NEW2AN 2017 2017 2017. Lecture Notes in Computer Science(), vol 10531. Springer, Cham. https://doi.org/10.1007/978-3-319-67380-6_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-67380-6_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-67379-0

  • Online ISBN: 978-3-319-67380-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation