Information-Entropy-Based DNS Tunnel Prediction - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Communication Dans Un Congrès Année : 2018

Information-Entropy-Based DNS Tunnel Prediction

Irvin Homem
  • Fonction : Auteur
  • PersonId : 1041886

Résumé

DNS tunneling techniques are often used for malicious purposes. Network security mechanisms have struggled to detect DNS tunneling. Network forensic analysis has been proposed as a solution, but it is slow, invasive and tedious as network forensic analysis tools struggle to deal with undocumented and new network tunneling techniques.This chapter presents a method for supporting forensic analysis by automating the inference of tunneled protocols. The internal packet structure of DNS tunneling techniques is analyzed and the information entropy of various network protocols and their DNS tunneled equivalents are characterized. This provides the basis for a protocol prediction method that uses entropy distribution averaging. Experiments demonstrate that the method has a prediction accuracy of 75%. The method also preserves privacy because it only computes the information entropy and does not parse the actual tunneled content.
Fichier principal
Vignette du fichier
472401_1_En_8_Chapter.pdf (297.89 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-01988835 , version 1 (22-01-2019)

Licence

Paternité

Identifiants

Citer

Irvin Homem, Panagiotis Papapetrou, Spyridon Dosis. Information-Entropy-Based DNS Tunnel Prediction. 14th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2018, New Delhi, India. pp.127-140, ⟨10.1007/978-3-319-99277-8_8⟩. ⟨hal-01988835⟩
113 Consultations
190 Téléchargements

Altmetric

Partager

Gmail Facebook X LinkedIn More