Computer Science – Cryptography and Security
Scientific paper
2010-04-25
Computer Science
Cryptography and Security
In Proceedings of the 9th Annual Security Conference, Las Vegas, NV, April 7-8, 2010
Scientific paper
High-bandwidth covert channels pose significant risks to sensitive and proprietary information inside company networks. Domain Name System (DNS) tunnels provide a means to covertly infiltrate and exfiltrate large amounts of information passed network boundaries. This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.
Born Kenton
Gustafson David
No associations
LandOfFree
Detecting DNS Tunnels Using Character Frequency Analysis does not yet have a rating. At this time, there are no reviews or comments for this scientific paper.
If you have personal experience with Detecting DNS Tunnels Using Character Frequency Analysis, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Detecting DNS Tunnels Using Character Frequency Analysis will most certainly appreciate the feedback.
Profile ID: LFWR-SCP-O-186535