Monitoring Enterprise DNS Queries for Detecting Data Exfiltration From Internal Hosts

Abstract

Enterprise networks constantly face the threat of valuable and sensitive data being stolen by cyber-attackers. Sophisticated attackers are increasingly exploiting the Domain Name System (DNS) service for exfiltrating data as well as maintaining tunneled command and control communications for malware. This is because DNS traffic is usually allowed to pass through enterprise firewalls without deep inspection or state maintenance, thereby providing a covert channel for attackers to encode low volumes of data without fear of detection. This paper develops and evaluates a real-time mechanism for detecting exfiltration and tunneling of data over DNS. Unlike prior solutions that operate off-line or in the network core, ours works in real-time at the enterprise edge. Our first contribution is to collect and analyze real DNS traffic from two organizations (a large University and a mid-sized Government Research Institute) over several days and extract numerous stateless attributes of DNS messages that can distinguish malicious from legitimate queries. Our second contribution is to develop, tune, and train a machine-learning algorithm to detect anomalies in DNS queries using a benign dataset of top rank primary domains. To achieve this, we have used 14 days-worth of DNS traffic from each organization. For our third contribution, we implement our scheme on live 10 Gbps traffic streams from the network borders of the two organizations, inject more than three million malicious DNS queries generated by two exfiltration tools, and show that our solution can identify them with high accuracy. We compare our solution with the two-class classifier used in prior work. We draw insights into anomalous DNS queries of two enterprise networks by their anomaly scores, the trace of query count over time, enterprise hosts querying them, and TTL and Type fields of their corresponding responses. Our tools and datasets are made available to the public for validation and further research.