Enterprise networks constantly face the threat of valuable and sensitive data being stolen by cyber-attackers. Sophisticated attackers are increasingly exploiting the Domain Name System (DNS) service for exfiltrating data as well as maintaining tunneled command and control communications for malware. This is because DNS traffic is usually allowed to pass through enterprise firewalls without deep inspection or state maintenance, thereby providing a covert channel for attackers to encode low volumes of data without fear of detection. This paper develops and evaluates a real-time mechanism for detecting exfiltration and tunneling of data over DNS. Unlike prior solutions that operate off-line or in the network core, ours works in real-time at the enterprise edge. Our first contribution is to collect and analyze real DNS traffic from two organizations (a large University and a mid-sized Government Research Institute) over several days and extract numerous stateless attributes of DNS messages that can distinguish malicious from legitimate queries. Our second contribution is to develop, tune, and train a machine-learning algorithm to detect anomalies in DNS queries using a benign dataset of top rank primary domains. To achieve this, we have used 14 days-worth of DNS traffic from each organization. For our third contribution, we implement our scheme on live 10 Gbps traffic streams from the network borders of the two organizations, inject more than three million malicious DNS queries generated by two exfiltration tools, and show that our solution can identify them with high accuracy. We compare our solution with the two-class classifier used in prior work. We draw insights into anomalous DNS queries of two enterprise networks by their anomaly scores, the trace of query count over time, enterprise hosts querying them, and TTL and Type fields of their corresponding responses. Our tools and datasets are made available to the public for validation and further research.

中文翻译：

---

监控企业 DNS 查询以检测来自内部主机的数据泄露

企业网络不断面临着有价值和敏感数据被网络攻击者窃取的威胁。老练的攻击者越来越多地利用域名系统 (DNS) 服务来窃取数据以及维护恶意软件的隧道命令和控制通信。这是因为 DNS 流量通常被允许通过企业防火墙，而无需进行深度检查或状态维护，从而为攻击者提供了一个隐蔽的通道，可以对少量数据进行编码而不必担心被发现。本文开发并评估了一种实时机制，用于检测 DNS 上的数据泄露和隧道传输。与之前离线或在网络核心中运行的解决方案不同，我们的解决方案在企业边缘实时运行。我们的第一个贡献是在几天内收集和分析来自两个组织（一家大型大学和一家中型政府研究所）的真实 DNS 流量，并提取 DNS 消息的众多无状态属性，可以区分恶意查询和合法查询。我们的第二个贡献是开发、调整和训练机器学习算法，以使用顶级主域的良性数据集检测 DNS 查询中的异常。为了实现这一目标，我们使用了来自每个组织 14 天的 DNS 流量。对于我们的第三个贡献，我们在来自两个组织的网络边界的实时 10 Gbps 流量流上实施我们的方案，注入由两个渗漏工具生成的超过 300 万个恶意 DNS 查询，并表明我们的解决方案可以高精度识别它们。我们将我们的解决方案与之前工作中使用的二分类器进行比较。我们通过异常分数、查询计数随时间的跟踪、查询它们的企业主机以及它们相应响应的 TTL 和类型字段，深入了解两个企业网络的异常 DNS 查询。我们的工具和数据集向公众提供以进行验证和进一步研究。