Title: | Malicious DNS Tunnel Tool Recognition using Persistent DoH Traffic Analysis |
Authors: | Mitsuhashi, Rikima Browse this author |
Jin, Yong Browse this author →KAKEN DB |
Iida, Katsuyoshi Browse this author →KAKEN DB |
Shinagawa, Takahiro Browse this author →KAKEN DB |
Takai, Yoshiaki Browse this author →KAKEN DB |
Keywords: | DNS over HTTPS (DoH) |
Network traffic classification |
Machine learning methods |
Gradient boosting decision tree algorithm |
GBDT algorithm |
Suspicious DoH traffic |
Emerging malicious DNS tunnel tool recognition |
CIRA-CICDoHBrw-2020 |
DoH-Tunnel-Traffic-HKD |
Issue Date: | 19-Oct-2022 |
Publisher: | IEEE |
Journal Title: | IEEE Transactions on Network and Service Management |
Volume: | 20 |
Issue: | 2 |
Start Page: | 2086 |
End Page: | 2095 |
Publisher DOI: | 10.1109/TNSM.2022.3215681 |
Abstract: | DNS over HTTPS (DoH) protocol can mitigate the risk of privacy breaches but makes it difficult to control network security services due to the DNS traffic encryption. However, since malicious DNS tunnel tools for the DoH protocol pose network security threats, network administrators need to recognize malicious communications even after the DNS traffic encryption has become widespread. In this paper, we propose a malicious DNS tunnel tool recognition system using persistent DoH traffic analysis based on machine learning. The proposed system can accomplish continuous knowledge updates for emerging malicious DNS tunnel tools on the machine learning model. The system is based on hierarchical machine learning classification and focuses on DoH traffic analysis. The evaluation results confirm that the proposed system is able to recognize the six malicious DNS tunnel tools in total, not only well-known ones, including dns2tcp, dnscat2, and iodine, but also the emerging ones such as dnstt, tcp-over-dns, and tuns with 98.02% classification accuracy. |
Description: | Published in: IEEE Transactions on Network and Service Management (Volume:20, Issue:2, June 2023) |
Rights: | © 2022 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. |
Type: | article (author version) |
URI: | http://hdl.handle.net/2115/87440 |
Appears in Collections: | 情報基盤センター (Information Initiative Center) > 雑誌発表論文等 (Peer-reviewed Journal Articles, etc)
|