6533b874fe1ef96bd12d628f

RESEARCH PRODUCT

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

Gil DavidHämäläinen TimoViivi Nuojua

subject

DNS tunneling detectionSIMPLE (military communications protocol)business.industryComputer scienceDomain Name SystemComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS020206 networking & telecommunications02 engineering and technologyComputer securitycomputer.software_genreDomain (software engineering)protokollat0202 electrical engineering electronic engineering information engineeringAPT020201 artificial intelligence & image processingThe Internetcovert channels detectiontietoturvabusinesscomputerProtocol (object-oriented programming)

description

Domain Name System (DNS) plays an important role as a translation protocol in everyday use of the Internet. The purpose of DNS is to translate domain names into IP addresses and vice versa. However, its simple architecture can easily be misused for malicious activities. One huge security threat concerning DNS is tunneling, which helps attackers bypass the security systems unnoticed. A DNS tunnel can be used for three purposes: as a command and control channel, for data exfiltration or even for tunneling another protocol through it. In this paper, we surveyed different techniques for DNS tunneling detection. We classified those first based on the type of data and then within the categories based on the type of analysis. We conclude with a comparison between the various detection techniques. We introduce one real Advanced Persistent Threat campaign that utilizes DNS tunneling, and theoretically compare how well the surveyed detection techniques could detect it. peerReviewed

yearjournalcountryeditionlanguage
2017-01-01
http://urn.fi/URN:NBN:fi:jyu-201710304091