Published on Sun Oct 04 2020

DNS Covert Channel Detection via Behavioral Analysis: a Machine Learning Approach

Salvatore Saeli, Federica Bisio, Pierangelo Lombardo, Danilo Massa

Detecting covert channels among legitimate traffic represents a severe challenge due to the high heterogeneity of networks. The proposed solution has been evaluated over a 15-day-long experimental session. All the malicious variants were detected, while producing a low false-positive rate.

0
0
0
Abstract

Detecting covert channels among legitimate traffic represents a severe challenge due to the high heterogeneity of networks. Therefore, we propose an effective covert channel detection method, based on the analysis of DNS network data passively extracted from a network monitoring system. The framework is based on a machine learning module and on the extraction of specific anomaly indicators able to describe the problem at hand. The contribution of this paper is two-fold: (i) the machine learning models encompass network profiles tailored to the network users, and not to the single query events, hence allowing for the creation of behavioral profiles and spotting possible deviations from the normal baseline; (ii) models are created in an unsupervised mode, thus allowing for the identification of zero-days attacks and avoiding the requirement of signatures or heuristics for new variants. The proposed solution has been evaluated over a 15-day-long experimental session with the injection of traffic that covers the most relevant exfiltration and tunneling attacks: all the malicious variants were detected, while producing a low false-positive rate during the same period.

Tue Oct 27 2020
Machine Learning
Generalized Insider Attack Detection Implementation using NetFlow Data
Insider Attack Detection in commercial networks is a critical problem that does not have any good solutions at this current time. We show that our approach is a promising tool for insider attack detection in realistic settings.
0
0
0
Tue Jan 21 2020
Machine Learning
An Intelligent and Time-Efficient DDoS Identification Framework for Real-Time Enterprise Networks SAD-F: Spark Based Anomaly Detection Framework
Anomaly detection is a crucial step for preventing malicious activities in the network. classical anomaly detectors work well with small and sampled data. The chances of failures increase with real-time (non-sampled data) traffic data.
0
0
0
Sat Dec 12 2020
Machine Learning
Filtering DDoS Attacks from Unlabeled Network Traffic Data Using Online Deep Learning
DDoS attacks are simple, effective, and still pose a significant threat. It's interesting to investigate how we can leverage deep learning to filter out application layer attack requests. Offline unsupervised learning methods can sidestep these hurdles by learning an anomaly detector.
0
0
0
Mon Jun 28 2021
Machine Learning
Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis
Machine learning (ML) based malicious traffic detection is an emerging security paradigm, particularly for zero-day attack detection. However, the existing ML based.detection has low detection accuracy and low throughput incurred by inefficient.traffic features extraction.
0
0
0
Fri Apr 23 2021
Machine Learning
Lightweight Detection of Out-of-Distribution and Adversarial Samples via Channel Mean Discrepancy
0
0
0
Sat Apr 25 2020
Machine Learning
NetML: A Challenge for Network Traffic Analytics
Classifying network traffic is the basis for important network applications. Prior research in this area has faced challenges on the availability of representative datasets. We release the datasets in the form of an open challenge called NetML.
0
0
0