DNS Covert Channel Detection via Behavioral Analysis: a Machine Learning
Approach
- URL: http://arxiv.org/abs/2010.01582v1
- Date: Sun, 4 Oct 2020 13:28:28 GMT
- Title: DNS Covert Channel Detection via Behavioral Analysis: a Machine Learning
Approach
- Authors: Salvatore Saeli, Federica Bisio, Pierangelo Lombardo, Danilo Massa
- Abstract summary: We propose an effective covert channel detection method based on the analysis of DNS network data passively extracted from a network monitoring system.
The proposed solution has been evaluated over a 15-day-long experimental session with the injection of traffic that covers the most relevant exfiltration and tunneling attacks.
- Score: 0.09176056742068815
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Detecting covert channels among legitimate traffic represents a severe
challenge due to the high heterogeneity of networks. Therefore, we propose an
effective covert channel detection method, based on the analysis of DNS network
data passively extracted from a network monitoring system. The framework is
based on a machine learning module and on the extraction of specific anomaly
indicators able to describe the problem at hand. The contribution of this paper
is two-fold: (i) the machine learning models encompass network profiles
tailored to the network users, and not to the single query events, hence
allowing for the creation of behavioral profiles and spotting possible
deviations from the normal baseline; (ii) models are created in an unsupervised
mode, thus allowing for the identification of zero-days attacks and avoiding
the requirement of signatures or heuristics for new variants. The proposed
solution has been evaluated over a 15-day-long experimental session with the
injection of traffic that covers the most relevant exfiltration and tunneling
attacks: all the malicious variants were detected, while producing a low
false-positive rate during the same period.
Related papers
- Feature Selection for Network Intrusion Detection [3.7414804164475983]
We present a novel information-theoretic method that facilitates the exclusion of non-informative features when detecting network intrusions.
The proposed method is based on function approximation using a neural network, which enables a version of our approach that incorporates a recurrent layer.
arXiv Detail & Related papers (2024-11-18T14:25:55Z) - Leveraging a Probabilistic PCA Model to Understand the Multivariate
Statistical Network Monitoring Framework for Network Security Anomaly
Detection [64.1680666036655]
We revisit anomaly detection techniques based on PCA from a probabilistic generative model point of view.
We have evaluated the mathematical model using two different datasets.
arXiv Detail & Related papers (2023-02-02T13:41:18Z) - Self-Supervised Training with Autoencoders for Visual Anomaly Detection [61.62861063776813]
We focus on a specific use case in anomaly detection where the distribution of normal samples is supported by a lower-dimensional manifold.
We adapt a self-supervised learning regime that exploits discriminative information during training but focuses on the submanifold of normal examples.
We achieve a new state-of-the-art result on the MVTec AD dataset -- a challenging benchmark for visual anomaly detection in the manufacturing domain.
arXiv Detail & Related papers (2022-06-23T14:16:30Z) - Representation Learning for Content-Sensitive Anomaly Detection in
Industrial Networks [0.0]
This thesis proposes a framework to learn spatial-temporal aspects of raw network traffic in an unsupervised and protocol-agnostic manner.
The learned representations are used to measure the effect on the results of a subsequent anomaly detection.
arXiv Detail & Related papers (2022-04-20T09:22:41Z) - Self-Supervised and Interpretable Anomaly Detection using Network
Transformers [1.0705399532413615]
This paper introduces the Network Transformer (NeT) model for anomaly detection.
NeT incorporates the graph structure of the communication network in order to improve interpretability.
The presented approach was tested by evaluating the successful detection of anomalies in an Industrial Control System.
arXiv Detail & Related papers (2022-02-25T22:05:59Z) - Training a Bidirectional GAN-based One-Class Classifier for Network
Intrusion Detection [8.158224495708978]
Existing generative adversarial networks (GANs) are primarily used for creating synthetic samples from reals.
In our proposed method, we construct the trained encoder-discriminator as a one-class classifier based on Bidirectional GAN (Bi-GAN)
Our experimental result illustrates that our proposed method is highly effective to be used in network intrusion detection tasks.
arXiv Detail & Related papers (2022-02-02T23:51:11Z) - DAAIN: Detection of Anomalous and Adversarial Input using Normalizing
Flows [52.31831255787147]
We introduce a novel technique, DAAIN, to detect out-of-distribution (OOD) inputs and adversarial attacks (AA)
Our approach monitors the inner workings of a neural network and learns a density estimator of the activation distribution.
Our model can be trained on a single GPU making it compute efficient and deployable without requiring specialized accelerators.
arXiv Detail & Related papers (2021-05-30T22:07:13Z) - Explainable Adversarial Attacks in Deep Neural Networks Using Activation
Profiles [69.9674326582747]
This paper presents a visual framework to investigate neural network models subjected to adversarial examples.
We show how observing these elements can quickly pinpoint exploited areas in a model.
arXiv Detail & Related papers (2021-03-18T13:04:21Z) - Anomaly Detection on Attributed Networks via Contrastive Self-Supervised
Learning [50.24174211654775]
We present a novel contrastive self-supervised learning framework for anomaly detection on attributed networks.
Our framework fully exploits the local information from network data by sampling a novel type of contrastive instance pair.
A graph neural network-based contrastive learning model is proposed to learn informative embedding from high-dimensional attributes and local structure.
arXiv Detail & Related papers (2021-02-27T03:17:20Z) - Experimental Review of Neural-based approaches for Network Intrusion
Management [8.727349339883094]
We provide an experimental-based review of neural-based methods applied to intrusion detection issues.
We offer a complete view of the most prominent neural-based techniques relevant to intrusion detection, including deep-based approaches or weightless neural networks.
Our evaluation quantifies the value of neural networks, particularly when state-of-the-art datasets are used to train the models.
arXiv Detail & Related papers (2020-09-18T18:32:24Z) - Cassandra: Detecting Trojaned Networks from Adversarial Perturbations [92.43879594465422]
In many cases, pre-trained models are sourced from vendors who may have disrupted the training pipeline to insert Trojan behaviors into the models.
We propose a method to verify if a pre-trained model is Trojaned or benign.
Our method captures fingerprints of neural networks in the form of adversarial perturbations learned from the network gradients.
arXiv Detail & Related papers (2020-07-28T19:00:40Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.