DomEye: Detecting network covert channel of domain fronting with throughput fluctuation

Abstract

Domain fronting, a typical network covert channel, hides malicious information inside encrypted network connections, which are usually established with cloud-hosted domain names. Due to these domain names such as microsoft.com with high reputation, domain fronting realizes the imitation of normal network connections naturally. At present, the common way for domain fronting detection is using imitation flaws to distinguish it from normal network connections. Unlike existing approaches using packet-level flaws, in the paper, we propose DomEye, a novel method using flow-level flaws to detect domain fronting. The DomEye detector exploits a flow-level imitation flaw that domain fronting connections usually exhibit different throughput than normal connections, for example, meek, a domain fronting-based tool for covert darknet access, only reaches a throughput about 10.7 KB at the 50th packet, significantly less than file, image and other normal network requests. According to the imitation flaw, we extract statistical features of throughput fluctuation and feed them into machine learning algorithms to train DomEye detector. Experiments on real-world network traffic prove that DomEye can accurately identify three kinds of domain fronting-based tools with lower false positive rate and lesser computation overhead than the state-of-the-art methods. In conclusion, we propose a superior method for domain fronting detection based on the throughput imitation flaw. As this flaw is at the flow level, we hope more attention could be paid to mining flow-level flaws in the future.