Publications - Pervasive Computing Laboratory

Access control anotacionsemantica authentication Cloud computing coap compromise cryptography cynamon emadrid emrisco home network I-Shaper identity management inrisco inteligenciafuentesabiertas Internet of Things intrusion detection system IoT magos middleware Pervasive computing privacy Protocols Qursa raudo2 Security Smart Card Trust management Ubisec VANETs 
Show all
2024
 Moure-Garrido, Marta;  Das, Sajal;  Campo, Celeste;  García-Rubio, Carlos
Real-Time Analysis of Encrypted DNS Traffic for Threat Detection Conference 
ICC 2024 - IEEE International Conference on Communications, IEEE, 2024, ISSN: 1550-3607.
Abstract | Links | BibTeX | Tags: APT, compromise, dns tunnels, doh traffic, encrypted traffic, intrusion detection system, Qursa
@conference{marta003,

title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},

author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},

url = {https://ieeexplore.ieee.org/document/10622347},

doi = {https://doi.org/10.1109/ICC51166.2024.10622347},

issn = {1550-3607},

year  = {2024},

date = {2024-08-20},

booktitle = {ICC 2024 - IEEE International Conference on Communications},

pages = {3292-3297},

publisher = {IEEE},

abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},

keywords = {APT, compromise, dns tunnels, doh traffic, encrypted traffic, intrusion detection system, Qursa},

pubstate = {published},

tppubtype = {conference}

}

Close
Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.
Close
https://ieeexplore.ieee.org/document/10622347
doi:https://doi.org/10.1109/ICC51166.2024.10622347
Close