Litcius/Paper detail

Detection of DoH Tunnels using Time-series Classification of Encrypted Traffic

Mohammadreza MontazeriShatoori, Logan Davidson, Gurdip Kaur, Arash Habibi Lashkari

2020216 citationsDOI

Abstract

Computer networks have fallen easy prey to cyber attacks in the ever-evolving internet services. Domain Name System (DNS) has also not remained untouched with these cybercrime attempts. Encrypted HyperText Transfer Protocol (HTTP) traffic over Secure Socket Layer (SSL), alternatively called HTTPS, has succeeded to prevent DNS attacks to a great extent. To secure DNS traffic, the security community has introduced the concept of DNS over HTTPS (DoH) to improve user privacy and security by combating eavesdropping and DNS data manipulation on the way to prevent Man-in-the-Middle (MitM) attacks. This paper discusses one of the persistent security concerns, abuse of DNS protocol to create covert channels by tunneling data through DNS packets. We identify tunneling activities that utilize DNS communications over HTTPS by presenting a two-layered approach to detect and characterize DoH traffic using time-series classifiers.

Topics & Concepts

Domain Name SystemComputer scienceComputer securityEncryptionComputer networkMan-in-the-middle attackEavesdroppingNetwork packetThe InternetTransport Layer SecurityHypertext Transfer ProtocolCovert channelWorld Wide WebCloud computing securityCloud computingOperating systemSecurity information and event managementInternet Traffic Analysis and Secure E-votingNetwork Security and Intrusion DetectionAdvanced Malware Detection Techniques
Detection of DoH Tunnels using Time-series Classification of Encrypted Traffic | Litcius