Publications - Pervasive Computing Laboratory

Access control anotacionsemantica authentication Cloud computing coap compromise cryptography cynamon emadrid emrisco home network I-Shaper identity management inrisco inteligenciafuentesabiertas Internet of Things IoT IPTV magos Pervasive computing privacy Protocols Qursa raudo2 Security Smart Card trust Trust management Ubisec VANETs 
Show all
2023
 Moure-Garrido, Marta;  Campo-Vázquez, Celeste;  García-Rubio, Carlos
Real time detection of malicious DoH traffic using statistical analysis  Journal Article 
In: COMPUTER NETWORKS, vol. 234, iss. 109910, pp. 1-10, 2023, ISSN: 1389-1286.
Abstract | Links | BibTeX | Tags: classification, compromise, computer science, cynamon, dns tunnels, doh traffic, intrusion detection system, malicious doh, Qursa, statistical analysis
@article{campo002,

title = {Real time detection of malicious DoH traffic using statistical analysis },

author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},

url = {http://hdl.handle.net/10016/38151},

doi = {https://doi.org/10.1016/j.comnet.2023.109910},

issn = {1389-1286},

year  = {2023},

date = {2023-10-09},

urldate = {2023-10-09},

journal = {COMPUTER NETWORKS},

volume = {234},

issue = {109910},

pages = {1-10},

abstract = {The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.



In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.},

keywords = {classification, compromise, computer science, cynamon, dns tunnels, doh traffic, intrusion detection system, malicious doh, Qursa, statistical analysis},

pubstate = {published},

tppubtype = {article}

}

Close
The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.



In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
Close
http://hdl.handle.net/10016/38151
doi:https://doi.org/10.1016/j.comnet.2023.109910
Close
2022
 Moure-Garrido, Marta;  Campo-Vázquez, Celeste;  García-Rubio, Carlos
Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis Conference 
PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, ACM, 2022, ISBN: 978-1-4503-9483-3.
Abstract | Links | BibTeX | Tags: classification, compromise, cynamon, dns tunnels, doh traffic, magos, malicious doh, statistical analysis
@conference{campo015,

title = {Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis},

author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},

url = {https://dl.acm.org/doi/10.1145/3551663.3558605},

doi = {https://doi.org/10.1145/3551663.3558605},

isbn = {978-1-4503-9483-3},

year  = {2022},

date = {2022-10-24},

urldate = {2022-10-24},

booktitle = {PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},

publisher = {ACM},

abstract = {DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.},

keywords = {classification, compromise, cynamon, dns tunnels, doh traffic, magos, malicious doh, statistical analysis},

pubstate = {published},

tppubtype = {conference}

}

Close
DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.
Close
https://dl.acm.org/doi/10.1145/3551663.3558605
doi:https://doi.org/10.1145/3551663.3558605
Close