Conference Papers

Permanent URI for this collectionhttps://idr.nitk.ac.in/handle/123456789/28506

Browse

Filters

20212

Settings

Has files: NoSubject: search.filters.subject.DNS tunneling

Search Results

Now showing 1 - 2 of 2
  • No Thumbnail Available
    Item
    FQDN similarity and cache-miss property based DNS tunneling detection technique
    (Grenze Scientific Society, 2021) Bhowmik, M.; Chowdhary, A.; Rudra, B.
    Although there are many effective methods to detect DNS Tunneling attacks, the attacks still happen, and the attackers can mock genuine queries to bypass such checks. However, in data exfiltration, the DNS queries are continuously changing as some part of it represents the data itself. Thus, all such queries would result in a cache miss, and therefore we can use such properties to detect DNS Tunneling attacks. However, relying on this is not enough as it will also have many false positives. To overcome the problem, we propose three criteria-based methods that consider DNS Tunneling queries’ properties and use them to reduce the number of false positives and thus accurately detect DNS Tunneling traffic. We even discussed the bypassing checks in this paper, and they are both costly and require the attacker to make redundant queries. © Grenze Scientific Society, 2021.
  • No Thumbnail Available
    Item
    DNS tunneling detection using machine learning and cache miss properties
    (Institute of Electrical and Electronics Engineers Inc., 2021) Chowdhary, A.; Bhowmik, M.; Rudra, B.
    In a DNS Tunneling attack, data or other useful information is embedded within a DNS query and exfiltrated. Such attacks are difficult to detect because DNS is a fundamental protocol and blocking legitimate domain names can lead to an unpleasant experience for the users. Thus, detecting whether the DNS query is exfiltrating data or not is a challenging task. Mimicking genuine queries by the attacker makes this even more difficult. This research work presents two different methods for detecting the DNS Tunneling query and later they are combined to build a DNS Tunneling Attack Detector that can inform the client about a potential attack going on in real time. The first method uses cache misses in a DNS cache server and the second method utilizes machine learning techniques to classify a given DNS query. Overall, with around 93% accuracy of certain Machine Learning classifiers on classifying on a per packet basis along with extra validation from the cache-miss approach, a detector has been developed to accurately report DNS tunneling traffic © 2021 IEEE.