Security and Privacy in Communication Networks. 16th EAI International Conference, SecureComm 2020, Washington, DC, USA, October 21-23, 2020, Proceedings, Part II

Research Article

A Practical Machine Learning-Based Framework to Detect DNS Covert Communication in Enterprises

Download
2 downloads
Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-030-63095-9_1,
    author={Ruming Tang and Cheng Huang and Yanti Zhou and Haoxian Wu and Xianglin Lu and Yongqian Sun and Qi Li and Jinjin Li and Weiyao Huang and Siyuan Sun and Dan Pei},
    title={A Practical Machine Learning-Based Framework to Detect DNS Covert Communication in Enterprises},
    proceedings={Security and Privacy in Communication Networks. 16th EAI International Conference, SecureComm 2020, Washington, DC, USA, October 21-23, 2020, Proceedings, Part II},
    proceedings_a={SECURECOMM PART 2},
    year={2020},
    month={12},
    keywords={DNS Malicious domain detection Data exfiltration DGA},
    doi={10.1007/978-3-030-63095-9_1}
}
  • Ruming Tang
    Cheng Huang
    Yanti Zhou
    Haoxian Wu
    Xianglin Lu
    Yongqian Sun
    Qi Li
    Jinjin Li
    Weiyao Huang
    Siyuan Sun
    Dan Pei
    Year: 2020
    A Practical Machine Learning-Based Framework to Detect DNS Covert Communication in Enterprises
    SECURECOMM PART 2
    Springer
    DOI: 10.1007/978-3-030-63095-9_1
Ruming Tang, Cheng Huang1, Yanti Zhou, Haoxian Wu1, Xianglin Lu, Yongqian Sun, Qi Li,*, Jinjin Li, Weiyao Huang, Siyuan Sun, Dan Pei
  • 1: BizSeer Technologies Co.
*Contact email: qli01@tsinghua.edu.cn

Abstract

DNS is a key protocol of the Internet infrastructure, which ensures network connectivity. However, DNS suffers from various threats. In particular, DNS covert communication is one serious threat in enterprise networks, by which attackers establish stealthy communications between internal hosts and remote servers. In this paper, we proposeD({^2})C(^2)(Detection of DNS Covert Communication), a practical and flexible machine learning-based framework to detect DNS covert communications.D({^2})C(^2)is an end-to-end framework contains modular detection models including supervised and unsupervised ones, which detect multiple types of threats efficiently and flexibly. We have deployedD({^2})C(^2)in a large commercial bank with 100 millions of DNS queries per day. During the deployment,D({^2})C(^2)detected over 4k anomalous DNS communications per day, achieving high precision over 0.97 on average. It uncovers a significant number of unnoticed security issues including seven compromised hosts in the enterprise network.

Keywords
DNS Malicious domain detection Data exfiltration DGA
Published
2020-12-12
Appears in
SpringerLink
http://dx.doi.org/10.1007/978-3-030-63095-9_1
Copyright © 2020–2025 ICST
EAI Logo

About EAI

Community

Publish with EAI