http://www.ijrter.com/papers/volume-2/issue-4/dns-tunneling-detection.pdf
《DNS Tunneling Detection》
In this paper we have presented a method of the DNS tunneling detection based on the clustering of the DNS traffic images.
检测手段也分为两种:
DNS packet analysis and DNS traffic analysis. Packet analysis denotes the request and response payload examination. Traffic analysis denotes the packets study in time to collect statistics – such as count of the packets from a single host, submission frequency, etc.
DNS packet analysis方法:
1. Request and response packet size analysis.
2. Domain names entropy analysis.
3. Usage of the non-common types of DNS resource records.
4. Frequency of the digit occurrences in the domain names.
DNS traffic analysis techniques:
1. The DNS traffic volume from a single IP address.
2. 2. The DNS traffic volume for certain domains.
3. The DNS server geographic location.
4. Time of the DNS resource records creation.
http://onlinelibrary.wiley.com/wol1/doi/10.1002/dac.2836/full
DNS tunneling detection through statistical fingerprints of protocol messages and machine learning
The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes.
https://arxiv.org/abs/1004.4358
Detecting DNS Tunnels Using Character Frequency Analysis
This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.
http://www.sciencedirect.com/science/article/pii/S1389128608003071
Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol.
类似文章在:A Bigram based Real Time DNS Tunnel Detection Approach
http://www.sciencedirect.com/science/article/pii/S1877050913002421
http://ieeexplore.ieee.org/abstract/document/6755060/?reload=true
Basic classifiers for DNS tunneling detection
The paper deals with DNS tunneling detection by means of simple supervised learning schemes, applied to statistical features of DNS queries and answers.
https://link.springer.com/chapter/10.1007/978-3-319-07995-0_46
Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection
To do that, we pose a classification problem on several statistical fingerprints
(features) of query and answers, acquired during the system evolution. More
specifically, let q and a be the packet sizes of a query and the corresponding
answer。
https://link.springer.com/chapter/10.1007/978-3-642-38998-6_16
Flow-Based Detection of DNS Tunnels
In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.