Application Behavior Identification in DNS Tunnels Based on Spatial-Temporal Information

作     者：Bai, Huiwen Liu, Weiwei Liu, Guangjie Dai, Yuewei Huang, Shuhua 

作者机构：Nanjing Univ Sci & Technol Sch Automat Nanjing 210094 Peoples R China Nanjing Univ Informat Sci & Technol Sch Elect & Informat Engn Nanjing 210044 Peoples R China 

出 版 物：《IEEE ACCESS》 (IEEE Access)

年 卷 期：2021年第9卷

页      面：80639-80653页

核心收录：

基　　金：National Natural Science Foundation of China [U1836104, 61702235] Fundamental Research Funds for the Central Universities 

主　　题：Tunneling Feature extraction Protocols Machine learning Payloads Neural networks Malware DNS tunnel internal application behavior identification spatial-temporal features machine-learning algorithm 

摘      要：Due to the capability of passing through heavily censored networks or gateway equipped with the traffic-monitoring module, DNS tunnel has been the dominant covert communication technique for command and control between the victim and the attacker in network attack events. Although the discovery of DNS tunnel has been intensively studied, the internal application behavior identification for DNS tunnels still remains a challenging problem. The fine-gained identification can help to reveal more behavior information wrapped in DNS tunnels. In this study, we investigate the spatial-temporal information from the raw packets to identify the internal application behaviors in DNS tunnels. Multi-dimensional features on packet length and timing for DNS tunnels with different internal application behaviors are incorporated with a machine-learning algorithm to identify the internal application behaviors in DNS tunnels. We consider 4 common types of application behaviors in our research, including browsing webpages, emailing, downloading data, and controlling the remote servers. The experimental results show that the proposed scheme can achieve higher identification accuracy with a much lower packet consuming rate when compared with the state-of-the-art internal protocol identification scheme. The experiment results depict that our proposed scheme is better in terms of F-score, which can reach 99% with only 100 packets.