Publications - Pervasive Computing Laboratory

Access control anotacionsemantica authentication Cloud computing coap compromise cryptography cynamon emadrid emrisco home network I-Shaper identity management inrisco inteligenciafuentesabiertas Internet of Things intrusion detection system IoT magos middleware Pervasive computing privacy Protocols Qursa raudo2 Security Smart Card Trust management Ubisec VANETs 
Show all
2024
 Moure-Garrido, Marta;  Campo, Celeste;  García-Rubio, Carlos
Análisis estadístico del tráfico DoH para la detección del uso malicioso de túneles Conference 
Investigación en Ciberseguridad Actas de las VII Jornadas Nacionales (7º.2022.Bilbao) , 2024, ISBN: 978-84-88734-13-6.
Abstract | Links | BibTeX | Tags: analisis estadistico, compromise, cynamon, dns tunnels, DoH, malicious doh
@conference{marta002,

title = {Análisis estadístico del tráfico DoH para la detección del uso malicioso de túneles},

author = {Marta Moure-Garrido and Celeste Campo and Carlos García-Rubio},

url = {https://dialnet.unirioja.es/servlet/articulo?codigo=9206590},

isbn = {978-84-88734-13-6},

year  = {2024},

date = {2024-07-10},

urldate = {2024-07-10},

booktitle = {Investigación en Ciberseguridad Actas de las VII Jornadas Nacionales (7º.2022.Bilbao) },

pages = {38-41},

abstract = {Las primeras versiones de DNS presentaban ciertos problemas de seguridad: integridad, autenticidad y privacidad. Para solventarlos se definió DNSSEC, pero esta versión

seguía sin garantizar privacidad. Por ello, se definieron DNS sobre TLS (DoT) en 2016 y DNS sobre HTTPS (DoH) en 2018. En los ultimos años se ha empleado la tunelización DNS para encapsular trafico maligno. Las versiones DoT y DoH han complicado la detección de estos túneles dado que los datos van encriptados. En trabajos anteriores se emplean técnicas de aprendizaje automático para identificar túneles DoH, pero tienen limitaciones. En este trabajo realizamos un análisis estadístico para aprender el patrón del tráfico DoH y estudiar las diferencias entre el tráfico benigno y el tráfico creado con herramientas de tunelización. El análisis revela que ciertos parámetros estadísticos permiten diferenciar el trafico. El siguiente paso de la investigación es aplicar técnicas más elaboradas basándonos en el análisis realizado.},

keywords = {analisis estadistico, compromise, cynamon, dns tunnels, DoH, malicious doh},

pubstate = {published},

tppubtype = {conference}

}

Close
Las primeras versiones de DNS presentaban ciertos problemas de seguridad: integridad, autenticidad y privacidad. Para solventarlos se definió DNSSEC, pero esta versión

seguía sin garantizar privacidad. Por ello, se definieron DNS sobre TLS (DoT) en 2016 y DNS sobre HTTPS (DoH) en 2018. En los ultimos años se ha empleado la tunelización DNS para encapsular trafico maligno. Las versiones DoT y DoH han complicado la detección de estos túneles dado que los datos van encriptados. En trabajos anteriores se emplean técnicas de aprendizaje automático para identificar túneles DoH, pero tienen limitaciones. En este trabajo realizamos un análisis estadístico para aprender el patrón del tráfico DoH y estudiar las diferencias entre el tráfico benigno y el tráfico creado con herramientas de tunelización. El análisis revela que ciertos parámetros estadísticos permiten diferenciar el trafico. El siguiente paso de la investigación es aplicar técnicas más elaboradas basándonos en el análisis realizado.
Close
https://dialnet.unirioja.es/servlet/articulo?codigo=9206590
Close
2023
 Moure-Garrido, Marta;  Campo-Vázquez, Celeste;  García-Rubio, Carlos
Real time detection of malicious DoH traffic using statistical analysis  Journal Article 
In: COMPUTER NETWORKS, vol. 234, iss. 109910, pp. 1-10, 2023, ISSN: 1389-1286.
Abstract | Links | BibTeX | Tags: classification, compromise, computer science, cynamon, dns tunnels, doh traffic, intrusion detection system, malicious doh, Qursa, statistical analysis
@article{campo002,

title = {Real time detection of malicious DoH traffic using statistical analysis },

author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},

url = {http://hdl.handle.net/10016/38151},

doi = {https://doi.org/10.1016/j.comnet.2023.109910},

issn = {1389-1286},

year  = {2023},

date = {2023-10-09},

urldate = {2023-10-09},

journal = {COMPUTER NETWORKS},

volume = {234},

issue = {109910},

pages = {1-10},

abstract = {The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.



In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.},

keywords = {classification, compromise, computer science, cynamon, dns tunnels, doh traffic, intrusion detection system, malicious doh, Qursa, statistical analysis},

pubstate = {published},

tppubtype = {article}

}

Close
The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.



In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
Close
http://hdl.handle.net/10016/38151
doi:https://doi.org/10.1016/j.comnet.2023.109910
Close
2022
 Moure-Garrido, Marta;  Campo-Vázquez, Celeste;  García-Rubio, Carlos
Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis Conference 
PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, ACM, 2022, ISBN: 978-1-4503-9483-3.
Abstract | Links | BibTeX | Tags: classification, compromise, cynamon, dns tunnels, doh traffic, magos, malicious doh, statistical analysis
@conference{campo015,

title = {Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis},

author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},

url = {https://dl.acm.org/doi/10.1145/3551663.3558605},

doi = {https://doi.org/10.1145/3551663.3558605},

isbn = {978-1-4503-9483-3},

year  = {2022},

date = {2022-10-24},

urldate = {2022-10-24},

booktitle = {PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},

publisher = {ACM},

abstract = {DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.},

keywords = {classification, compromise, cynamon, dns tunnels, doh traffic, magos, malicious doh, statistical analysis},

pubstate = {published},

tppubtype = {conference}

}

Close
DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.
Close
https://dl.acm.org/doi/10.1145/3551663.3558605
doi:https://doi.org/10.1145/3551663.3558605
Close