A Bigram based Real Time DNS Tunnel Detection Approach

Abstract

DNS (Domain Name System) tunnels can provide high-bandwidth covert channels that pose a significant risk to sensitive information inside the company networks. Sensitive data are embedded in DNS query and response packets to exfiltrate and infiltrate the network boundaries. However, traditional Intrusion Detection Systems (IDS) and Firewalls let DNS packets pass without any checking. This paper explores a novel approach to detect in real time whether a DNS packet is in a tunnel by scoring the query domain based on bigram. Experiment shows that the bigrams of domains follow Zipf's law whereas tunnelled traffic is obedient to random distribution. The score mechanism in detecting DNS tunnels is proved to be usable theoretically and is confirmed in the experiment. Our approach can get a high accuracy of 98.74% and low false positive of 1.24%.