In the presence of security countermeasures, a malware designed for dataexfiltration must do so using a covert channel to achieve its goal. Amongexisting covert channels stands the domain name system (DNS) protocol. Althoughthe detection of covert channels over the DNS has been thoroughly studied inthe last decade, previous research dealt with a specific subclass of covertchannels, namely DNS tunneling. While the importance of tunneling detection isnot undermined, an entire class of low throughput DNS exfiltration malwareremained overlooked. The goal of this study is to propose a method fordetecting both tunneling and low-throughput data exfiltration over the DNS.Towards this end, we propose a solution composed of a supervised featureselection method, and an interchangeable, and adjustable anomaly detectionmodel trained on legitimate traffic. In the first step, a one-class classifieris applied for detecting domain-specific traffic that does not conform with thenormal behavior. Then, in the second step, in order to reduce the falsepositive rate resulting from the attempt to detect the low-throughput dataexfiltration we apply a rule-based filter that filters data exchange over DNSused by legitimate services. Our solution was evaluated on a medium-scalerecursive DNS server logs, and involved more than 75,000 legitimate uses andalmost 2,000 attacks. Evaluation results shows that while DNS tunneling iscovered with at least 99% recall rate and less than 0.01% false positive rate,the detection of low throughput exfiltration is more difficult. While notpreventing it completely, our solution limits a malware attempting to avoiddetection with at most a 1kb/h of payload under the limitations of the DNSsyntax (equivalent to five credit cards details, or ten user credentials perhour) which reduces the effectiveness of the attack.
展开▼
