Consiglio Nazionale delle Ricerche

Tipo di prodottoArticolo in rivista
TitoloDNS tunneling detection through statistical fingerprints of protocol messages and machine learning
Anno di pubblicazione2014
Autore/iAiello M.; Mongelli M.; Papaleo G.
Affiliazioni autoriInstitute of Electronics, Computer and Telecommunication Engineering National Research Council of Italy Via De Marini 6 Genoa 16149 Italy
Autori CNR e affiliazioni
  • inglese
AbstractThe use of covert-channel methods to bypass security policies has increased considerably in the recent years. Malicious users neutralize security restriction by encapsulating protocols like peer-to-peer, chat or http proxy into other allowed protocols like Domain Name Server (DNS) or HTTP. This paper illustrates a machine learning approach to detect one particular covert-channel technique: DNS tunneling.Despite packet inspection may guarantee reliable intrusion detection in this context, it may suffer of scalability performance when a large set of sockets should be monitored in real time. Detecting the presence of DNS intruders by an aggregation-based monitoring is of main interest as it avoids packet inspection, thus preserving privacy and scalability. The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes. The analysis is complicated by two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field).Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and by making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. An insightful analysis of the performance leads to discover a unique intrusion detection tool, applicable in the presence of different tunneled applications. © 2014 John Wiley & Sons, Ltd.
Lingua abstractinglese
Altro abstract-
Lingua altro abstract-
Pagine da-
Pagine a-
Pagine totali-
RivistaInternational journal of communication systems (Print)
Attiva dal 1994
Editore: Wiley, - Chichester, UK
Paese di pubblicazione: Regno Unito
Lingua: inglese
ISSN: 1074-5351
Titolo chiave: International journal of communication systems (Print)
Titolo proprio: International journal of communication systems. (Print)
Titolo abbreviato: Int. j. commun. syst. (Print)
Titolo alternativo: Communication systems (Print)
Numero volume della rivista-
Fascicolo della rivista-
Verificato da refereeSì: Internazionale
Stato della pubblicazione-
Indicizzazione (in banche dati controllate)
  • Scopus (Codice:2-s2.0-84904776994)
Parole chiaveDNS tunneling, Ensemble techniques, Intrusion detection, Supervised learning
Link (URL, URI)
Titolo parallelo-
Data di accettazione-
Note/Altre informazioni-
Strutture CNR
  • IEIIT — Istituto di elettronica e di ingegneria dell'informazione e delle telecomunicazioni
Moduli CNR
  • INT.P01.004.001 : Rilevazione e controllo di anomalie mediante analisi comportamentale
Progetti Europei-
DNS tunneling detection through statistical fingerprints of protocol messages and machine learning (documento privato )
Tipo documento: application/pdf