QURSA
QURSA - Arquitecturas y técnicas resistentes a computación cuántica: Seguridad post-cuántica
AGENCIA ESTATAL DE INVESTIGACION (AEI)
(Ref. TED2021-130369B-C32)
12/ 2022
--
11/ 2024
The QURSA project addresses the design and proof of concept of an architecture and algorithms for quantum key distribution (QKD) over complex networks, and their integration with the classical Internet core and distribution infrastructures by means of an improved post-processing layer. For achieving an effective, seamless integration and maximize the adoption of quantum-based physical security across a diverse range of domains, we also propose to develop a novel bridge QKD endpoints, i.e., a set of physical equipment, part of the QKD network themselves, but located near the network edge to which end-users (individuals or firms) can bring their own devices to download and take away secure uncorrelated keys generated and distributed through the QKD network. As a complement, we propose the use of truly random quantum-generated keys as sources for the first general implementation of post-quantum cryptographic (PQC) signing and encryption algorithms. These PQ techniques are presently at the final stages of the standardization started by NIST in 2016, and the resulting PQC primitives will thus be embedded into the universal Internet carrier and signaling protocols (e.g., TLS/DTLS, HTTP, DNSSEC) guaranteeing security for network applications and their pervasive traffic. With this approach, the reach of quantum-safe security is stretched out to the bulk of Internet traffic by means of an evolutionary roadmap.
QURSA will adopt the well-known design principles of software-defined networking (SDN) for separation of the control, data and management planes of the QKD network, as the emerging technical standards in this field issued by ETSI and IETF-ITU advocate. The proposed proof of concept to bind together and test all the technical challenges in the project will be a pilot for demonstrating and testing the hybridization of quantum-based and quantum-safe communications on a managed open network, since in addition to the benefits of making QKD usable as a service, it showcases most of the features that will be faced in this research agenda: the creation and management of ultra-secure channels, the engineering of the composite quantum-classical network, an instantiation of quantum-safe Internet protocols, and a flexible distributed management system based on SDN principles. In addition to our equipment and background, we have engaged CESGA, CCN and INCIBE for supporting us in building and testing a feasible pilot."
Publications
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; and Celeste Campo,; García-Rubio, Carlos
Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols Conference
2024 IEEE Symposium on Computers and Communications (ISCC), IEEE, 2024, ISBN: 979-8-3503-5424-9.
@conference{javierblanco002,
title = {Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/abstract/document/10733716/figures#figures},
doi = {https://doi.org/10.1109/ISCC61673.2024.10733716},
isbn = {979-8-3503-5424-9},
year = {2024},
date = {2024-10-31},
urldate = {2024-10-31},
booktitle = {2024 IEEE Symposium on Computers and Communications (ISCC)},
publisher = {IEEE},
abstract = {Post-Quantum Cryptography (PQC) is a practical and cost-effective solution to defend against emerging quantum computing threats. So, leading worldwide security agencies and standardization bodies strongly advocate for the proactive integration of PQ cryptography into underlying frameworks to support applications, protocols, and services. The current research predominantly addresses the incorporation of PQC in Internet communication protocols such as HTTP and DNS; nevertheless, the focus on embedded devices has been limited to evaluating PQC’s integration within TLS/DTLS in isolation. Hence, there is a notable gap in understanding how PQC impacts IoT-specific communication protocols. This paper presents the integration of PQC into two communication protocols specifically tailored for IoT devices, the Constrained Application Protocol (CoAP) and MQTT for Sensor Networks (MQTT-SN), via the wolfSSL library. These two integrations contribute to the understanding of PQC’s implications for IoT communication protocols.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Post-Quantum Cryptography (PQC) is a practical and cost-effective solution to defend against emerging quantum computing threats. So, leading worldwide security agencies and standardization bodies strongly advocate for the proactive integration of PQ cryptography into underlying frameworks to support applications, protocols, and services. The current research predominantly addresses the incorporation of PQC in Internet communication protocols such as HTTP and DNS; nevertheless, the focus on embedded devices has been limited to evaluating PQC’s integration within TLS/DTLS in isolation. Hence, there is a notable gap in understanding how PQC impacts IoT-specific communication protocols. This paper presents the integration of PQC into two communication protocols specifically tailored for IoT devices, the Constrained Application Protocol (CoAP) and MQTT for Sensor Networks (MQTT-SN), via the wolfSSL library. These two integrations contribute to the understanding of PQC’s implications for IoT communication protocols.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; García-Rubio, Carlos; Campo, Celeste; Marín, Andrés
Evaluating integration methods of a quantum random number generator in OpenSSL for TLS Proceedings Article
In: Computer Networks, 2024, ISBN: 1389-1286.
@inproceedings{javierblanco003,
title = {Evaluating integration methods of a quantum random number generator in OpenSSL for TLS},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and Carlos García-Rubio and Celeste Campo and Andrés Marín},
url = {https://www.sciencedirect.com/science/article/pii/S1389128624007096?via%3Dihub},
doi = {https://doi.org/10.1016/j.comnet.2024.110877},
isbn = {1389-1286},
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
volume = {255},
publisher = {Computer Networks},
abstract = {The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.
Moure-Garrido, Marta; Das, Sajal; Campo, Celeste; García-Rubio, Carlos
Real-Time Analysis of Encrypted DNS Traffic for Threat Detection Conference
ICC 2024 - IEEE International Conference on Communications, IEEE, 2024, ISSN: 1550-3607.
@conference{marta003,
title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},
author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/document/10622347},
doi = {https://doi.org/10.1109/ICC51166.2024.10622347},
issn = {1550-3607},
year = {2024},
date = {2024-08-20},
booktitle = {ICC 2024 - IEEE International Conference on Communications},
pages = {3292-3297},
publisher = {IEEE},
abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.
Moure-Garrido, Marta; Das, Sajal; Campo, Celeste; García-Rubio, Carlos
Real-Time Analysis of Encrypted DNS Traffic for Threat Detection Conference
ICC 2024 - IEEE International Conference on Communications, IEEE, 2024, ISSN: 1550-3607.
@conference{marta003b,
title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},
author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/document/10622347},
doi = {https://doi.org/10.1109/ICC51166.2024.10622347},
issn = {1550-3607},
year = {2024},
date = {2024-08-20},
booktitle = {ICC 2024 - IEEE International Conference on Communications},
pages = {3292-3297},
publisher = {IEEE},
abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Inferring mobile applications usage from DNS traffic Proceedings Article
In: Ad Hoc Networks, Elsevier B.V., 2024.
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; García-Rubio, Carlos; Campo-Vázquez, Celeste
Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 506-507, Universidad de Sevilla, 2024, ISBN: 978-84-09-62140-8.
@inproceedings{andrea001,
title = {Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo-Vázquez},
url = {https://idus.us.es/handle/11441/159179
https://dialnet.unirioja.es/servlet/articulo?codigo=9633499
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {506-507},
publisher = {Universidad de Sevilla},
abstract = {La privacidad del usuario sigue siendo vulnerable
cuando se utilizan protocolos de comunicaci´on cifrados, como
HTTPS, cuando las consultas DNS se env´ıan en texto claro a
trav´es del puerto UDP 53 (Do53). En este estudio, demostramos
la posibilidad de caracterizar una aplicaci´on m´ovil que utiliza
un usuario bas´andonos en su tr´afico Do53. Mediante el an´alisis
de un conjunto de datos de tr´afico, formado por 80 aplicaciones
m´oviles Android, podemos identificar la aplicaci´on que se est´a
utilizando bas´andonos en sus consultas DNS con una precisi´on
del 88,75 %. Aunque los sistemas operativos modernos, incluido
Android desde la versi´on 9.0, admiten el tr´afico DNS cifrado,
esta funci´on no est´a activada por defecto y depende del soporte
del proveedor de DNS. Adem´as, incluso cuando el tr´afico DNS
est´a cifrado, el proveedor de servicios DNS sigue teniendo acceso
a nuestras consultas y podr´ıa extraer informaci´on de ellas.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
La privacidad del usuario sigue siendo vulnerable
cuando se utilizan protocolos de comunicaci´on cifrados, como
HTTPS, cuando las consultas DNS se env´ıan en texto claro a
trav´es del puerto UDP 53 (Do53). En este estudio, demostramos
la posibilidad de caracterizar una aplicaci´on m´ovil que utiliza
un usuario bas´andonos en su tr´afico Do53. Mediante el an´alisis
de un conjunto de datos de tr´afico, formado por 80 aplicaciones
m´oviles Android, podemos identificar la aplicaci´on que se est´a
utilizando bas´andonos en sus consultas DNS con una precisi´on
del 88,75 %. Aunque los sistemas operativos modernos, incluido
Android desde la versi´on 9.0, admiten el tr´afico DNS cifrado,
esta funci´on no est´a activada por defecto y depende del soporte
del proveedor de DNS. Adem´as, incluso cuando el tr´afico DNS
est´a cifrado, el proveedor de servicios DNS sigue teniendo acceso
a nuestras consultas y podr´ıa extraer informaci´on de ellas.
Moure-Garrido, Marta; García-Rubio, Carlos; Campo, Celeste
Reducing DNS Traffic to Enhance Home IoT Device Privacy Journal Article
In: Sensors , vol. 24, iss. 9, 2024.
@article{marta001,
title = {Reducing DNS Traffic to Enhance Home IoT Device Privacy},
author = {Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo},
url = {https://www.mdpi.com/1424-8220/24/9/2690/pdf?version=1713941333},
doi = {https://doi.org/10.3390/s24092690},
year = {2024},
date = {2024-04-24},
urldate = {2024-04-24},
journal = {Sensors },
volume = {24},
issue = {9},
publisher = {Sensors 2024},
abstract = {The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker’s ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker’s ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Campo-Vázquez, Carlos García-Rubio Celeste
Characterizing Mobile Applications Through Analysis of DNS Traffic Conference
PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks., ACM, 2023, ISBN: N 979-8-4007-0370-6.
@conference{campo013,
title = {Characterizing Mobile Applications Through Analysis of DNS Traffic},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio Celeste Campo-Vázquez},
doi = {https://doi.org/10.1145/3616394.3618268},
isbn = {N 979-8-4007-0370-6},
year = {2023},
date = {2023-10-30},
urldate = {2023-10-30},
booktitle = {PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks.},
pages = {69-76},
publisher = {ACM},
abstract = {User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Real time detection of malicious DoH traffic using statistical analysis Journal Article
In: COMPUTER NETWORKS, vol. 234, iss. 109910, pp. 1-10, 2023, ISSN: 1389-1286.
@article{campo002,
title = {Real time detection of malicious DoH traffic using statistical analysis },
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
url = {http://hdl.handle.net/10016/38151},
doi = {https://doi.org/10.1016/j.comnet.2023.109910},
issn = {1389-1286},
year = {2023},
date = {2023-10-09},
urldate = {2023-10-09},
journal = {COMPUTER NETWORKS},
volume = {234},
issue = {109910},
pages = {1-10},
abstract = {The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
