HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Information-Entropy-Based DNS Tunnel Prediction

Abstract : DNS tunneling techniques are often used for malicious purposes. Network security mechanisms have struggled to detect DNS tunneling. Network forensic analysis has been proposed as a solution, but it is slow, invasive and tedious as network forensic analysis tools struggle to deal with undocumented and new network tunneling techniques.This chapter presents a method for supporting forensic analysis by automating the inference of tunneled protocols. The internal packet structure of DNS tunneling techniques is analyzed and the information entropy of various network protocols and their DNS tunneled equivalents are characterized. This provides the basis for a protocol prediction method that uses entropy distribution averaging. Experiments demonstrate that the method has a prediction accuracy of 75%. The method also preserves privacy because it only computes the information entropy and does not parse the actual tunneled content.
Document type :
Conference papers
Complete list of metadata

Cited literature [23 references]  Display  Hide  Download

Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Tuesday, January 22, 2019 - 9:44:26 AM
Last modification on : Thursday, February 24, 2022 - 1:38:03 PM
Long-term archiving on: : Tuesday, April 23, 2019 - 1:54:37 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Irvin Homem, Panagiotis Papapetrou, Spyridon Dosis. Information-Entropy-Based DNS Tunnel Prediction. 14th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2018, New Delhi, India. pp.127-140, ⟨10.1007/978-3-319-99277-8_8⟩. ⟨hal-01988835⟩



Record views


Files downloads