Text analysis of DNS queries for data exfiltration protection of computer networks

The paper proposes effective method of computer network protection from data exfiltration by the system of domain names. Data exfiltration by Domain Name System (DNS) is an approach to conceal the transfer of confidential data to remote adversary using data encapsulation into the requesting domain name. The DNS requests that transfer stolen information from a host infected by malicious software to an external host controlled by a malefactor are considered. The paper proposes a method of detecting such DNS requests based on text classification of domain names by convolutional neural network. The efficiency of the method is based on assumption that domain names exploited for data exfiltration differ from domain names formed from words of natural language. To classify the requests in convolutional neural network the use of character embedding for representing the string of a domain name is proposed. Quality evaluation of the trained neural network used for recognition of data exfiltration through domain name system using ROC-analysis is performed.

The paper presents the software architecture used for deployment of trained neural network into existing infrastructure of the domain name system targeting practical computer networks protection from data exfiltration. The architecture implies creation of response policy zones for blocking of individual requests, classified as malicious.

1. Zhong, X. Stealthy malware traffic – Not as innocent as it looks / X. Zhong, Y. Fu, R. Brooks // Malicious and Unwanted Software (MALWARE) : 10th International Conference, Fajardo 20-22 Oct 2015 – Fajardo, 2015. – P. 110-116.

2. Deitrich, C. On botnets that use DNS for command and control / C. Deitrich, C. Rossow, F. Freiling, H. Bos, M. Van Steen, N. Pohlman // Computer Network Defense : 7th European Conference on Computer Network Defense, Gotheburg 6-7 Sep 2011 – Gotheburg, 2011. – P. 9-16.

3. Valenzuela, I. Game Changer: Identifying and Defending Against Data Exfiltration Attempts [Electronic resource] // SANS Cyber Security Summit Archive. – Mode of access: https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493840468.pdf. – Date of access – 15.02.2020.

4. New FrameworkPOS variant exfiltrates data via DNS requests [Electronic resource] // G Data Security Blog. – Mode of access: https://www.gdatasoftware.com/blog/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests. – Date of access: 15.02.2020.

5. Bubnov, Y. DNS Tunneling Queries for Binary Classification / Y. Bubnov // Mendeley Data. – New York, 2019 – Vol 1.

6. Qi, C. A bigram based real time DNS tunnel detection approach / C. Qi, X. Chen, C. Xu, J. Shi, P. Liu // Procedia Computer Science, Elsevier B.V. – 2013. – Vol. 17, P. 852-860.

7. Born, K. Detecting DNS Tunneling Using Character Frequency Analysis / K. Born, D. Gustafson // Proceedings of the 9th Annual Security Conference, Las Vegas 7-8 Apr 2010. – Las Vegas, 2010, - P. 2-3.

8. Nadler, A. Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol / A. Nadler, A. Aminov, A. Shabtai // Ben-Gurion University, 2018. – P. 1-14.

9. Berg, A. Identifying DNS-tunneled traffic with predictive models / A. Berg, D. Forsberg // Stockholm University. – Stockholm, 2019. – P. 1-14.

10. Mockapetris, P. Domain names – implementation and specification / P. Mockapetris // Internet Standard, ISI. – 1987. – P. 12.

11. Kim, Y. Character-Aware Neural Language Models / Y. Kim, Y. Jernite, D. Sontag, A. Rush // Association for the Advancement of Artificial Intelligence. – New York, 2016. – 9 p.

12. Watson, D. Utilizing Character and Word Embedding for Text Normalization with Sequence-to-Sequence Models / D. Watson, N. Zalmout, N. Habash // Empirical Methods in Natural Language Processing, Hong Kong 3-7 Nov 2019 – Hong Kong, 2019. – 7 p.

13. Gal, Y. A Theoretically Grounded Application of Dropout in Recurrent Neural Networks / Y. Gal, Z. Ghahraamni // Neural Information Processing Systems, Barcelona 5-20 Dec 2016. – Barcelona, 2016 – 14 p.

14. Klambauer, G. Self-Normalizing Neural Networks / G. Klambauer, T. Unterthiner, A. Mayr, S. Hochreiter // Advances in Neural Information Processing Systems, Long Beach 4-9 Dec 2017. – Long Beach, 2017. – 102 p.

15. Kingma, D. Adam: A Method for Stochastic Optimization / D. Kingma, J. Ba // 3rd International Conference for Learning Representations, San Diego 7-9 May 2015. – San Diego, 2015. – 15 p.

16. Nygren, E. The Akami Network: A Platform for High-Performance Internet Applications / E. Nygren, R. Sitaraman, J. Sun // ACM SIGOPS Operating Systems Review – Amherst, 2010. – P. 2-19.