Abstract

In the presence of security countermeasures, a malware designed for data exfiltration must use a covert channel to achieve its goal. The Domain Name System (DNS) protocol is a covert channel commonly used by malware developers today for this purpose. Although the detection of covert channels using the DNS has been studied for the past decade, prior research has largely dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection should not be minimized, an entire class of low throughput DNS exfiltration malware has been overlooked. In this study, we propose a method for detecting both tunneling and low throughput data exfiltration over the DNS. After determining that previously detected malware used Internet domains that were registered for a cyber-campaign rather than compromising existing legitimate domains, we focus on detecting and denying requests to these domains as an effective data leakage shutdown. Therefore, our proposed solution handles streaming DNS traffic in order to detect and automatically deny requests to domains that are used for data exchange. The initial data collection phase collects DNS logs per domain in a manner that permits scanning for long periods of time, and is thus capable of dealing with “low and slow” attacks. In the second phase features are extracted based on the querying behavior of each domain, and in the last phase an anomaly detection model is used to classify domains based on their use for data exfiltration. With regard to detection, DNS requests to domains that were classified as being used for data exfiltration will be denied indefinitely. Our method was evaluated on a large-scale recursive DNS server’s logs with a peaking high of 47 million requests per hour. Within these DNS logs, we injected data exfiltration traffic from DNS tunneling tools as well as two real-life malware: FrameworkPOS, previously used for the theft of 56M credit cards from Home Depot in 2014, and Backdoor.Win32.Denis, which was active in the Cobalt Kitty APT in 2016. Even when restricting our method to an extremely low false positive rate (i.e., one in fifty thousand domains), it detected all of the above. In addition, the logs are used to compare our system with two recently published methods that focus on detecting DNS tunneling in order to stress the novelty of detecting low throughput exfiltration malware.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.