Protection Against DNS Tunneling Abuses on Mobile Networks
MetadataVis full innførsel
The use of mobile internet is increasing as the service becomes fasterand more reliable. It is not only used by smartphones and tablets, butalso regular computers are connected. With the increase in usage comesthe need for an increased security. Companies have over the last 15years been aware of Domain Name System (DNS) tunneling as means toperform data exfiltration and Command and Control (C&C) attacks intheir networks. Before that DNS tunnels were used to access the internetat cafés and hotels without having to pay for it.Mobile devices today contain more and more data which might be sensitivefor both the user and his company and DNS tunnels are already in use onmobile devices to avoid paying for internet data usage. If history repeatsitself, as it often does, will DNS tunnels soon be used to exfiltrate datafrom mobile devices without anyone noticing. This is what this studyis trying to prevent. The study tries to find a viable machine learningclassifier for detecting DNS tunnels.Machine learning is a great tool to find statistical properties of datasets,and as DNS tunnels are irregularities should its properties be different.The K-means classifier, a cluster classifier, and the One-Class SVM(OCSVM) classifier, an outlier detector, are studied and tested in thisstudy.The data was planned to be gathered using the opensource softwareopenGGSN. Using much time trying to set it up, did this plan have tochange. The data was then gathered with Wireshark. It captured DNStraffic generated from four Virtual Machines (VMs) where one was usinga DNS tunnel. At first the DNS tunnel stood for over 50% of the datacollected, so it had to be reduced to be more representing of a largernetwork. The data was reformatted by merging the request and responsein one line so the classifier could use those features together.The precision, recall and F-score of the classifiers were tested on differentinitiation parameters and features. For the K-means the results startedbad and neither changing the parameters nor features helped the results.The OCSVM has multiple kernels which were tested and the poly kernellooked very good on the first test. When changing the nu parameterand the features, did the results of the poly kernel change drastically forthe worse. The Radial Basis Function (RBF) kernel kept a quite highscore specifically on the recall of the outliers and the precision on the inliers. More tests were executed using the RBF kernel changing both thegamma and the nu parameters, which are the most sensitive parametersfor the kernel. Which in the end resulted in a 96% F-score where onlythe precision on outliers was under 90% which means the models largestweakness is a few false positive.