Detecting DNS Tunnels Using Character Frequency Analysis
read the original abstract
High-bandwidth covert channels pose significant risks to sensitive and proprietary information inside company networks. Domain Name System (DNS) tunnels provide a means to covertly infiltrate and exfiltrate large amounts of information passed network boundaries. This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.
This paper has not been read by Pith yet.
Forward citations
Cited by 1 Pith paper
-
Identifying DNS-tunneled traffic with predictive models
Pairing DNS queries and responses in feature extraction raises MLP and Random Forest accuracy above 83% for detecting SSH/SFTP/Telnet tunnels, with roughly 95% reduction in data size.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.