Detection of DNS Tunneling in Mobile Networks Using Machine Learning

Do, Van Thuan; Engelstad, Paal; Feng, Boning; van Do, Thanh

doi:10.1007/978-981-10-4154-9_26

Van Thuan Do³,
Paal Engelstad⁴,
Boning Feng⁴ &
…
Thanh van Do^4,5

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 424))

Included in the following conference series:

International Conference on Information Science and Applications

3166 Accesses
18 Citations

Abstract

Lately, costly and threatening DNS tunnels on the mobile networks bypassing the mobile operator’s Policy and Charging Enforcement Function (PCEF), has shown the vulnerability of the mobile networks caused by the Domain Name System (DNS) which calls for protection solutions. Unfortunately there is currently no really adequate solution. This paper proposes to use machine learning techniques in the detection and mitigation of a DNS tunneling in mobile networks. Two machine learning techniques, namely One Class Support Vector Machine (OCSVM) and K-Means are experimented and the results prove that machine learning techniques could yield quite efficient detection solutions. The paper starts with a comprehensive introduction to DNS tunneling in mobile networks. Next the challenges in DNS tunneling detections are reviewed. The main part of the paper is the description of proposed DNS tunneling detection using machine learning.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 259.00; Price excludes VAT (USA)

Softcover Book: USD 329.99; Price excludes VAT (USA)

Hardcover Book: USD 329.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

IETF: RFC 1034 Domain names – concepts and facilities, Internet standard, November 1987
Google Scholar
IETF: RFC 1035 Domain names - Implementation and specification - Internet standard, November 1987
Google Scholar
Pure Hacking: Reverse DNS Tunneling – Staged Loading Shellcode, Ty Miller, Blackhat (2008)
Google Scholar
Ayaya: Black Ops of DNS, Dan Kaminsky, Blackhat (2004)
Google Scholar
OzymanDNS – Dan Kaminsky (2004). https://dankaminsky.com/2004/07/29/51/
Dns2tcp - Hervé Schauer Consultants. http://www.hsc.fr/ressources/outils/dns2tcp/
Iodine. http://code.kryo.se/iodine/
Heyoka. http://heyoka.sourceforge.net/
DNScat. http://tadek.pietraszek.org/projects/DNScat/
MagicTunnel. http://www.magictunnel.net/
Element53 – Sander Nijhof. https://nijhof.biz/element53/
VPN over DNS. https://www.vpnoverdns.com/
SANS Institute: Data Charging Bypass - How your IDS can help, Hassan Mourad, September 2014
Google Scholar
SANS Institute: Detecting DNS Tunneling, Greg Farnham, February 2013
Google Scholar
Bianco, D.: A traffic-analysis approach to detecting DNS tunnels. http://blog.vorant.com/2006/05/traffic-analysis-approach-to-detecting.html. Accessed 3 May 2006
Pietraszek, T.: Dnscat. http://tadek.pietraszek.org/projects/DNScat/. Accessed 31 Oct 2004
Heavy Reading: DNS Security for Service Providers: An Active Approach at L7 – White Paper – Patrick Donegan, October 2015
Google Scholar
Do, V.T., Engelstad, P., Feng, B., van Do, T.: Strengthening mobile network security using machine learning. In: Younas, M., Awan, I., Kryvinska, N., Strauss, C., van Thanh, D. (eds.) MobiWIS 2016. LNCS, vol. 9847, pp. 173–183. Springer, Heidelberg (2016). doi:10.1007/978-3-319-44215-0_14
Google Scholar
Mitchell, T.M.: Machine Learning. Mcgraw-Hill Companies Inc, New York (1997). ISBN 0-47-042807-7
MATH Google Scholar
Manevitz, L.M., Yousef, M.: One-class SVMs for document classification. J. Mach. Learn. Res. 2, 139–154 (2002)
MATH Google Scholar
MacQueen, J.B.: Some methods for classification and analysis of multivariate observations. In: Proceedings of 5th Berkeley Symposium on Mathematical Statistics and Probability, pp. 281–297. University of California Press, Berkeley (1967). MR 0214227, Zbl 0214.46201, Accessed 07 Apr 2009
Google Scholar
SlowDNS: A free VPN over DNS Tunneling Tool. http://slowdns.com/
Bengio, Y.: Learning deep architectures for AI. Found. Trends Mach. Learn. 2, 1–127 (2009). doi:10.1561/2200000006
MATH Google Scholar

Download references

Author information

Authors and Affiliations

Wolffia AS, Martin Linges vei 15, 1364, Fornebu, Norway
Van Thuan Do
Oslo and Akershus University College of Applied Sciences, Pilestredet 46, 0167, Oslo, Norway
Paal Engelstad, Boning Feng & Thanh van Do
Telenor ASA, Snarøyveien 30, 1331, Fornebu, Norway
Thanh van Do

Authors

Van Thuan Do
View author publications
You can also search for this author in PubMed Google Scholar
Paal Engelstad
View author publications
You can also search for this author in PubMed Google Scholar
Boning Feng
View author publications
You can also search for this author in PubMed Google Scholar
Thanh van Do
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thanh van Do .

Editor information

Editors and Affiliations

Kyonggi University, Seongnam-si, Gyeonggi, Korea (Republic of)
Kuinam Kim
modelizeIT Inc., CEO and NYU , Stony Brook, New York, USA
Nikolai Joukov

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Do, V.T., Engelstad, P., Feng, B., van Do, T. (2017). Detection of DNS Tunneling in Mobile Networks Using Machine Learning. In: Kim, K., Joukov, N. (eds) Information Science and Applications 2017. ICISA 2017. Lecture Notes in Electrical Engineering, vol 424. Springer, Singapore. https://doi.org/10.1007/978-981-10-4154-9_26

Download citation

DOI: https://doi.org/10.1007/978-981-10-4154-9_26
Published: 18 March 2017
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-4153-2
Online ISBN: 978-981-10-4154-9
eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics