FSDC: Flow Samples and Dimensions Compression for Efficient Detection of DNS-over-HTTPS Tunnels

Abstract

This paper proposes an innovative approach capitalized on the distinctive characteristics of command and control (C&C) beacons, namely, time intervals and frequency between consecutive unique connections, to compress the network flow dataset. While previous studies on the same matter used single technique, we propose a multi-technique approach for efficient detection of DoH tunnels. We use a baseline public dataset, CIRA-CIC-DoHBrw-2020, containing over a million network flow properties and statistical features of DoH, tunnels, benign DoH and normal browsing (HTTPS) traffic. Each sample is represented by 33 features with a timestamp. Our methodology combines star graph and bar plot visualizations with supervised and unsupervised learning techniques. The approach underscores the importance of C&C beacon characteristic features in compressing a dataset and reducing a flow dimension while enabling efficient detection of DoH tunnels. Through compression, the original dataset size and dimensions are reduced by approximately 95% and 94% respectively. For supervised learning, RF emerges as the top-performing algorithm, attaining precision and recall scores of 100% each, with speed increase of ≈6796 times faster in training and ≈55 in testing. For anomaly detection models, OCSVM emerges as the most suitable choice for this purpose, with precision (88.89) and recall (100). Star graph and bar graph models also show a clear difference between normal traffic and DoH tunnels. The reduction in flow sample size and dimension, while maintaining accuracy, holds promise for edge networks with constrained resources and aids security analysts in interpreting complex ML models to identify Indicators of Compromise (IoC).