Publications

@conference{marta003,

title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},

author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},

url = {https://ieeexplore.ieee.org/document/10622347},

doi = {https://doi.org/10.1109/ICC51166.2024.10622347},

issn = {1550-3607},

year  = {2024},

date = {2024-08-20},

booktitle = {ICC 2024 - IEEE International Conference on Communications},

pages = {3292-3297},

publisher = {IEEE},

abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},

keywords = {APT, compromise, dns tunnels, doh traffic, encrypted traffic, intrusion detection system, Qursa},

pubstate = {published},

tppubtype = {conference}

}

@conference{campo015,

title = {Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis},

author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},

url = {https://dl.acm.org/doi/10.1145/3551663.3558605},

doi = {https://doi.org/10.1145/3551663.3558605},

isbn = {978-1-4503-9483-3},

year  = {2022},

date = {2022-10-24},

urldate = {2022-10-24},

booktitle = {PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},

publisher = {ACM},

abstract = {DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.},

keywords = {classification, compromise, cynamon, dns tunnels, doh traffic, magos, malicious doh, statistical analysis},

pubstate = {published},

tppubtype = {conference}

}