Detection of Malicious DNS-over-HTTPS Traffic: An Anomaly Detection Approach using Autoencoders

• URL: http://arxiv.org/abs/2310.11325v1
• Date: Tue, 17 Oct 2023 15:03:37 GMT
• Title: Detection of Malicious DNS-over-HTTPS Traffic: An Anomaly Detection Approach using Autoencoders
• Authors: Sergio Salinas Monroy, Aman Kumar Gupta, Garrett Wahlstedt,
• Abstract summary: We design an autoencoder that is capable of detecting malicious DNS traffic by only observing the encrypted DoH traffic. We find that our proposed autoencoder achieves the highest detection performance, with a median F-1 score of 99% over several types of malicious traffic.
• Score: 0.0
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: To maintain the privacy of users' web browsing history, popular browsers encrypt their DNS traffic using the DNS-over-HTTPS (DoH) protocol. Unfortunately, encrypting DNS packets prevents many existing intrusion detection systems from using plaintext domain names to detect malicious traffic. In this paper, we design an autoencoder that is capable of detecting malicious DNS traffic by only observing the encrypted DoH traffic. Compared to previous works, the proposed autoencoder looks for anomalies in DoH traffic, and thus can detect malicious traffic that has not been previously observed, i.e., zero-day attacks. We run extensive experiments to evaluate the performance of our proposed autoencoder and compare it to that of other anomaly detection algorithms, namely, local outlier factor, one-class support vector machine, isolation forest, and variational autoencoders. We find that our proposed autoencoder achieves the highest detection performance, with a median F-1 score of 99\% over several types of malicious traffic.

Related papers

• Autosen: improving automatic wifi human sensing through cross-modal autoencoder [56.44764266426344]
  WiFi human sensing is highly regarded for its low-cost and privacy advantages in recognizing human activities. Traditional cross-modal methods, aimed at enabling self-supervised learning without labeled data, struggle to extract meaningful features from amplitude-phase combinations. We introduce AutoSen, an innovative automatic WiFi sensing solution that departs from conventional approaches.
  arXiv  Detail & Related papers  (2024-01-08T19:50:02Z)
• An Unforgeable Publicly Verifiable Watermark for Large Language Models [84.2805275589553]
  Current watermark detection algorithms require the secret key used in the watermark generation process, making them susceptible to security breaches and counterfeiting during public detection. We propose an unforgeable publicly verifiable watermark algorithm named UPV that uses two different neural networks for watermark generation and detection, instead of using the same key at both stages.
  arXiv  Detail & Related papers  (2023-07-30T13:43:27Z)
• Feature Mining for Encrypted Malicious Traffic Detection with Deep Learning and Other Machine Learning Algorithms [7.404682407709988]
  The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. Traditional detection techniques cannot work without the decryption of encrypted traffic. In this paper, we provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches. We propose a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis.
  arXiv  Detail & Related papers  (2023-04-07T15:25:36Z)
• Using EBGAN for Anomaly Intrusion Detection [13.155954231596434]
  We propose an EBGAN-based intrusion detection method, IDS-EBGAN, that classifies network records as normal traffic or malicious traffic. The generator in IDS-EBGAN is responsible for converting the original malicious network traffic in the training set into adversarial malicious examples. During testing, IDS-EBGAN uses reconstruction error of discriminator to classify traffic records.
  arXiv  Detail & Related papers  (2022-06-21T13:49:34Z)
• AVTPnet: Convolutional Autoencoder for AVTP anomaly detection in Automotive Ethernet Networks [2.415997479508991]
  In this paper, we propose a convolutional autoencoder (CAE) for offline detection of anomalies on the Audio Video Transport Protocol (AVTP) Our proposed approach is evaluated on the recently published " Automotive Ethernet Intrusion dataset"
  arXiv  Detail & Related papers  (2022-01-31T19:13:20Z)
• Spotting adversarial samples for speaker verification by neural vocoders [102.1486475058963]
  We adopt neural vocoders to spot adversarial samples for automatic speaker verification (ASV) We find that the difference between the ASV scores for the original and re-synthesize audio is a good indicator for discrimination between genuine and adversarial samples. Our codes will be made open-source for future works to do comparison.
  arXiv  Detail & Related papers  (2021-07-01T08:58:16Z)
• DoS and DDoS Mitigation Using Variational Autoencoders [15.23225419183423]
  We explore the potential of Variational Autoencoders to serve as a component within an intelligent security solution. Two methods based on the ability of Variational Autoencoders to learn latent representations from network traffic flows are proposed.
  arXiv  Detail & Related papers  (2021-05-14T15:38:40Z)
• TANTRA: Timing-Based Adversarial Network Traffic Reshaping Attack [46.79557381882643]
  We present TANTRA, a novel end-to-end Timing-based Adversarial Network Traffic Reshaping Attack. Our evasion attack utilizes a long short-term memory (LSTM) deep neural network (DNN) which is trained to learn the time differences between the target network's benign packets. TANTRA achieves an average success rate of 99.99% in network intrusion detection system evasion.
  arXiv  Detail & Related papers  (2021-03-10T19:03:38Z)
• Challenges in Net Neutrality Violation Detection: A Case Study of Wehe Tool and Improvements [0.0]
  We focus on Wehe,' the most recent tool developed to detect net-neutrality violations. We highlight critical weaknesses in Wehe where its replay traffic is not being correctly classified as intended services. We propose a new method in which the SNI parameter is set appropriately in the initial TLS handshake.
  arXiv  Detail & Related papers  (2021-01-12T15:42:30Z)
• D-Unet: A Dual-encoder U-Net for Image Splicing Forgery Detection and Localization [108.8592577019391]
  Image splicing forgery detection is a global binary classification task that distinguishes the tampered and non-tampered regions by image fingerprints. We propose a novel network called dual-encoder U-Net (D-Unet) for image splicing forgery detection, which employs an unfixed encoder and a fixed encoder. In an experimental comparison study of D-Unet and state-of-the-art methods, D-Unet outperformed the other methods in image-level and pixel-level detection.
  arXiv  Detail & Related papers  (2020-12-03T10:54:02Z)
• Cassandra: Detecting Trojaned Networks from Adversarial Perturbations [92.43879594465422]
  In many cases, pre-trained models are sourced from vendors who may have disrupted the training pipeline to insert Trojan behaviors into the models. We propose a method to verify if a pre-trained model is Trojaned or benign. Our method captures fingerprints of neural networks in the form of adversarial perturbations learned from the network gradients.
  arXiv  Detail & Related papers  (2020-07-28T19:00:40Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.