{"title":"A High Accuracy DNS Tunnel Detection Method Without Feature Engineering","authors":"Yang Chen, Xiaoyong Li","doi":"10.1109/CIS52066.2020.00086","DOIUrl":null,"url":null,"abstract":"Domain Name System (DNS) is a key protocol and service used on the Internet. It is responsible for converting domain names into IP addresses. DNS tunnel is a method of encoding data of other programs or protocols in DNS query and response. Previous studies usually need to extract a large number of features manually and train the classifier of DNS tunnel detection by feature engineering. In this paper, a new framework for DNS tunnel detection is proposed, which can automatically extract features, including long short-term memory (LSTM) language model with attention mechanism and gated recurrent unit (GRU) language model with attention mechanism. Finally, a single-level classifier based on a character-level convolutional neural network (Char-CNN) is proposed. The results show that the LSTM and GRU language models based on attention mechanism and the algorithm of character-level convolution neural network achieve high accuracy and near-zero false positives.","PeriodicalId":106959,"journal":{"name":"2020 16th International Conference on Computational Intelligence and Security (CIS)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2020-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 16th International Conference on Computational Intelligence and Security (CIS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CIS52066.2020.00086","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 5
Abstract
Domain Name System (DNS) is a key protocol and service used on the Internet. It is responsible for converting domain names into IP addresses. DNS tunnel is a method of encoding data of other programs or protocols in DNS query and response. Previous studies usually need to extract a large number of features manually and train the classifier of DNS tunnel detection by feature engineering. In this paper, a new framework for DNS tunnel detection is proposed, which can automatically extract features, including long short-term memory (LSTM) language model with attention mechanism and gated recurrent unit (GRU) language model with attention mechanism. Finally, a single-level classifier based on a character-level convolutional neural network (Char-CNN) is proposed. The results show that the LSTM and GRU language models based on attention mechanism and the algorithm of character-level convolution neural network achieve high accuracy and near-zero false positives.