The primary objective of DNS over HTTPS (DoH) is to improve users’ privacy and security by encrypting DNS traffic. However, its implementation also allows malicious actors to evade security measures that depend on analyzing unencrypted DNS data. Hence, in certain network environments, it becomes necessary to identify and block malicious DoH traffic to maintain security standards. While various detection methods have been proposed, they often rely on specialized flow monitoring tools capable of exporting complex features that are resource-intensive and hard to compute in real time. These limitations make it challenging to widely adopt them in real network environments. To address this gap, this study introduces a machine learning-based malicious DoH traffic detection and categorization mechanism, utilizing standard flow features. The proposed approach ensures compatibility with standard flow monitoring tools implementing protocols such as NetFlow, sFlow, and IPFIX, making it easier to deploy in diverse network infrastructures. The evaluation results confirm that the proposed system achieves a high classification accuracy of 98.9% in detecting malicious DoH traffic and 98.5% in further categorizing the DoH traffic.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Make It Easy: Enhanced Detection of DNS Tunneling Tools over DoH Using Standard Flow Features

  • Farhan Ahmad,
  • Muhammad Mansoor Alam,
  • Muhammad Salman,
  • Komal Batool

摘要

The primary objective of DNS over HTTPS (DoH) is to improve users’ privacy and security by encrypting DNS traffic. However, its implementation also allows malicious actors to evade security measures that depend on analyzing unencrypted DNS data. Hence, in certain network environments, it becomes necessary to identify and block malicious DoH traffic to maintain security standards. While various detection methods have been proposed, they often rely on specialized flow monitoring tools capable of exporting complex features that are resource-intensive and hard to compute in real time. These limitations make it challenging to widely adopt them in real network environments. To address this gap, this study introduces a machine learning-based malicious DoH traffic detection and categorization mechanism, utilizing standard flow features. The proposed approach ensures compatibility with standard flow monitoring tools implementing protocols such as NetFlow, sFlow, and IPFIX, making it easier to deploy in diverse network infrastructures. The evaluation results confirm that the proposed system achieves a high classification accuracy of 98.9% in detecting malicious DoH traffic and 98.5% in further categorizing the DoH traffic.