Skip to Main content Skip to Navigation
Conference papers

Information-Entropy-Based DNS Tunnel Prediction

Abstract : DNS tunneling techniques are often used for malicious purposes. Network security mechanisms have struggled to detect DNS tunneling. Network forensic analysis has been proposed as a solution, but it is slow, invasive and tedious as network forensic analysis tools struggle to deal with undocumented and new network tunneling techniques.This chapter presents a method for supporting forensic analysis by automating the inference of tunneled protocols. The internal packet structure of DNS tunneling techniques is analyzed and the information entropy of various network protocols and their DNS tunneled equivalents are characterized. This provides the basis for a protocol prediction method that uses entropy distribution averaging. Experiments demonstrate that the method has a prediction accuracy of 75%. The method also preserves privacy because it only computes the information entropy and does not parse the actual tunneled content.
Document type :
Conference papers
Complete list of metadata

Cited literature [23 references]  Display  Hide  Download

https://hal.inria.fr/hal-01988835
Contributor : Hal Ifip <>
Submitted on : Tuesday, January 22, 2019 - 9:44:26 AM
Last modification on : Thursday, November 26, 2020 - 2:56:03 PM
Long-term archiving on: : Tuesday, April 23, 2019 - 1:54:37 PM

File

472401_1_En_8_Chapter.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Irvin Homem, Panagiotis Papapetrou, Spyridon Dosis. Information-Entropy-Based DNS Tunnel Prediction. 14th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2018, New Delhi, India. pp.127-140, ⟨10.1007/978-3-319-99277-8_8⟩. ⟨hal-01988835⟩

Share

Metrics

Record views

117

Files downloads

12