FTPB: A Three-Stage DNS Tunnel Detection Method Based on Character Feature Extraction

Abstract

The domain name system(DNS) protocol is one of the most versatile protocols in the world. If a hacker can control the DNS protocol to pass messages and control the host of victim, then no firewall can effectively intercept the DNS protocol. In recent years, the DNS tunnel is one of the most dangerous threats in the field of steganography, which supports a wide range of criminal activities. In order to detect and distinguish different types of DNS tunnels, we present a three-stage DNS tunnel detection method based on character feature extraction. This novel method named FTPB which uses feature extraction to filter out the domain names of the DNS tunnels by feature extraction classifier and then converts them into a high-dimensional vector by term frequency-inverse document frequency(TF-IDF), and reduces the dimension to 2 by principal components analysis(PCA). Ultimately, the data is classified by a binary vector classifier. Our method only needs to extract the character information of the domain names, and can effectively discover different types of DNS tunnels. Compared with traditional detection methods that can only detect DNS tunnels based on content, our research method can also have the ability to detect DNS tunnels based on codebooks, and the outcome of the evaluation substantially prove the efficacy of our method with accuracy and precision are more than 99%.