Many enterprises are under threat of targeted attacks aiming at data exfiltration. To launch such attacks, in recent years, attackers with their malware have exploited a covert channel that abuses the domain name system (DNS) named DNS tunneling. Although several research efforts have been made to detect DNS tunneling, the existing methods rely on features that advanced tunneling techniques can easily obfuscate by mimicking legitimate DNS clients. Such obfuscation would result in data leakage. To tackle this problem, we focused on a “trace” left by DNS tunneling that cannot be easily hidden. In the context of data exfiltration by DNS tunneling, the malware connects directly to the DNS cache server and the generated DNS tunneling queries produce cache misses with absolute certainty. In this study, we propose a DNS tunneling detection method based on the cache-property-aware features. Our experiments show that one of the proposed features can efficiently characterize the DNS tunneling traffic. Furthermore, we introduce a rule-based filter and a long short-term memory (LSTM)-based filter using this proposed feature. The rule-based filter achieves a higher rate of DNS tunneling attack detection than the LSTM one, which instead detects the attack more quickly, while both maintain a low misdetection rate.

中文翻译：

---

通过缓存属性感知功能进行 DNS 隧道检测


许多企业面临着旨在数据泄露的针对性攻击的威胁。为了发起此类攻击，近年来，攻击者使用恶意软件利用了一种名为 DNS 隧道的滥用域名系统 (DNS) 的隐蔽通道。尽管已经进行了多项研究工作来检测 DNS 隧道，但现有方法依赖于先进隧道技术可以通过模仿合法 DNS 客户端轻松混淆的功能。这种混淆会导致数据泄露。为了解决这个问题，我们重点关注 DNS 隧道留下的无法轻易隐藏的“痕迹”。在通过 DNS 隧道进行数据泄露的情况下，恶意软件直接连接到 DNS 缓存服务器，并且生成的 DNS 隧道查询绝对会产生缓存未命中。在本研究中，我们提出了一种基于缓存属性感知特征的 DNS 隧道检测方法。我们的实验表明，所提出的特征之一可以有效地表征 DNS 隧道流量。此外，我们使用这个提出的特征引入了基于规则的过滤器和基于长短期记忆（LSTM）的过滤器。基于规则的过滤器比 LSTM 过滤器实现了更高的 DNS 隧道攻击检测率，反而更快地检测到攻击，同时两者都保持了较低的误检率。