Real time detection of malicious DoH traffic using statistical analysis
Articles
Overview
published in
- Computer Networks Journal
publication date
- October 2023
start page
- 1
end page
- 10
issue
- 109910
volume
- 234
Digital Object Identifier (DOI)
full text
International Standard Serial Number (ISSN)
- 1389-1286
Electronic International Standard Serial Number (EISSN)
- 1872-7069
abstract
-
The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
Classification
subjects
- Computer Science
- Telecommunications
keywords
- classification; dns tunnels; doh traffic; intrusion detection system (ids); malicious doh; statistical analysis