•  
  •  
 

Abstract

The exponential rise in the number of malicious threats targeting computer networks and digital services puts network infrastructure in jeopardy. Domain name protocol attacks are one of the most pervasive network attacks posing a threat to networks, whereby attackers send harmful information to the network; this type of threat is identified as DNS tunneling. The DNS protocol has recently gained increased attention from cyber-attackers, targeting organizations with a web presence or reliance on e-commerce businesses. Cyber-attackers can subtly exploit the contents of encrypted DNS packets that are sent across covert network tunnels, which are difficult for firewalls and blacklist detection methods to detect. Therefore, efficient methods for detecting DNS intrusions in the network are required. Machine learning (ML), deep learning (DL), and computational intelligence models have proved to be increasingly effective in dealing with these cyber-attacks, especially when using an appropriate dataset. This paper proposes an intrusion detection model to detect malicious DNS over HTTPS (DoH) queries among network covert tunnels, using statistical analysis and Bi-directional Recurrent Neural Network (BRNN) techniques, based on the flow level of the network traffic. The proposed approach was tested and evaluated based on a realistic dataset called CIRA-CIC-DoHBrw-2020, provided by the Canadian Institute for Cybersecurity. Experiments have shown that the robustness of the model is strong, with a detection rate of 100%. Furthermore, the proposed model achieved high performance in terms of the accuracy rate in detecting malicious DoH queries, with low false-negative and false-positive rates. Furthermore, the number of features used is fewer than other approaches, making it perform faster in the training and testing phases.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Download

Share

COinS