Litcius/Paper detail

Feature Engineering and Machine Learning Model Comparison for Malicious Activity Detection in the DNS-Over-HTTPS Protocol

Matthew Behnke, Nathan Briner, Drake Cullen, Katelynn Schwerdtfeger, Jackson Warren, Ram B. Basnet, Tenzin Doleck

2021IEEE Access49 citationsDOIOpen Access PDF

Abstract

The Domain Name System (DNS) is among the most ubiquitous and important protocols for network communication; however, security concerns regarding DNS have been on the rise and demand for encrypted traffic has followed suit. Using a publicly available dataset, this work compares 10 different machine learning classifiers using stratified 10-fold cross-validation. The classifiers are used to determine the most effective and efficient way of detecting malicious DNS over Hypertext Transfer Protocol Secure (HTTPS) traffic, dubbed DoH traffic. Model performance is evaluated on Non-DoH vs. DoH traffic, then tested on benign vs. malicious DoH traffic. Additionally, this paper seeks to build upon existing research by removing noise and introducing feature selection methods and feature explainability to produce a better model for real-world deployment. After eliminating five overfitting features, our findings indicate that light gradient boosting machine (LGBM) yielded the highest accuracy to training time ratio while approaching 0% error using 20 top features.

Topics & Concepts

Computer scienceOverfittingHypertext Transfer ProtocolFeature selectionMachine learningArtificial intelligenceEncryptionSoftware deploymentSupport vector machineFeature extractionProtocol (science)Data miningComputer networkArtificial neural networkThe InternetWorld Wide WebOperating systemMedicineAlternative medicinePathologyNetwork Security and Intrusion DetectionInternet Traffic Analysis and Secure E-votingSpam and Phishing Detection
Feature Engineering and Machine Learning Model Comparison for Malicious Activity Detection in the DNS-Over-HTTPS Protocol | Litcius