Related papers: Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences

Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences

URL: http://arxiv.org/abs/2505.22220v1
Date: Wed, 28 May 2025 10:52:19 GMT
Title: Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences
Authors: Denis Petrov, Pascal Ruffing, Sebastian Zillien, Steffen Wendzel,
Abstract summary: Domainator is an approach to detect and differentiate state-of-the-art malware and DNS tunneling tools.<n>We evaluate our approach with 7 different malware samples and tunneling tools and can identify the particular malware based on its DNS traffic.
Score: 0.0
License: http://creativecommons.org/licenses/by/4.0/
Abstract: In recent years, malware with tunneling (or: covert channel) capabilities is on the rise. While malware research led to several methods and innovations, the detection and differentiation of malware solely based on its DNS tunneling features is still in its infancy. Moreover, no work so far has used the DNS tunneling traffic to gain knowledge over the current actions taken by the malware. In this paper, we present Domainator, an approach to detect and differentiate state-of-the-art malware and DNS tunneling tools without relying on trivial (but quickly altered) features such as "magic bytes" that are embedded into subdomains. Instead, we apply an analysis of sequential patterns to identify specific types of malware. We evaluate our approach with 7 different malware samples and tunneling tools and can identify the particular malware based on its DNS traffic. We further infer the rough behavior of the particular malware through its DNS tunneling artifacts. Finally, we compare our Domainator with related methods.

Related papers

DNS Tunneling: Threat Landscape and Improved Detection Solutions [1.6874375111244329]
We propose a novel approach to detect DNS tunneling with machine learning algorithms.<n>We combine machine learning algorithms to analyze the traffic by using features extracted from DNS traffic.<n>Analyses results show that the proposed approach is a good candidate to detect DNS tunneling accurately.
arXiv Detail & Related papers (2025-07-14T13:37:48Z)
Living off the Analyst: Harvesting Features from Yara Rules for Malware Detection [50.55317257140427]
A strategy used by malicious actors is to "live off the land," where benign systems are used and repurposed for the malicious actor's intent.<n>We show that this is plausible via YARA rules, which use human-written signatures to detect specific malware families.<n>By extracting sub-signatures from publicly available YARA rules, we assembled a set of features that can more effectively discriminate malicious samples.
arXiv Detail & Related papers (2024-11-27T17:03:00Z)
Relation-aware based Siamese Denoising Autoencoder for Malware Few-shot Classification [6.7203034724385935]
When malware employs an unseen zero-day exploit, traditional security measures can fail to detect them. Existing machine learning methods, which are trained on specific and occasionally outdated malware samples, may struggle to adapt to features in new malware. We propose a novel Siamese Neural Network (SNN) that uses relation-aware embeddings to calculate more accurate similarity probabilities.
arXiv Detail & Related papers (2024-11-21T11:29:10Z)
TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain [8.38094558878305]
Domain Name System (DNS) is vulnerable to some malicious attacks, including DNS cache poisoning. This paper presents TI-DNS, a blockchain-based DNS resolution architecture designed to detect and correct the forged DNS records. TI-DNS is easy to be adopted as it only requires modifications to the resolver side of current DNS infrastructure.
arXiv Detail & Related papers (2023-12-07T08:03:10Z)
MalDICT: Benchmark Datasets on Malware Behaviors, Platforms, Exploitation, and Packers [44.700094741798445]
Existing research on malware classification focuses almost exclusively on two tasks: distinguishing between malicious and benign files and classifying malware by family. We have identified four tasks which are under-represented in prior work: classification by behaviors that malware exhibit, platforms that malware run on, vulnerabilities that malware exploit, and packers that malware are packed with. We are releasing benchmark datasets for each of these four classification tasks, tagged using ClarAVy and comprising nearly 5.5 million malicious files in total.
arXiv Detail & Related papers (2023-10-18T04:36:26Z)
Detection of Malicious DNS-over-HTTPS Traffic: An Anomaly Detection Approach using Autoencoders [0.0]
We design an autoencoder that is capable of detecting malicious DNS traffic by only observing the encrypted DoH traffic. We find that our proposed autoencoder achieves the highest detection performance, with a median F-1 score of 99% over several types of malicious traffic.
arXiv Detail & Related papers (2023-10-17T15:03:37Z)
DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified Robustness [58.23214712926585]
We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection. Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables. We are the first to offer certified robustness in the realm of static detection of malware executables.
arXiv Detail & Related papers (2023-03-20T17:25:22Z)
Mate! Are You Really Aware? An Explainability-Guided Testing Framework for Robustness of Malware Detectors [49.34155921877441]
We propose an explainability-guided and model-agnostic testing framework for robustness of malware detectors. We then use this framework to test several state-of-the-art malware detectors' abilities to detect manipulated malware. Our findings shed light on the limitations of current malware detectors, as well as how they can be improved.
arXiv Detail & Related papers (2021-11-19T08:02:38Z)
A Novel Malware Detection Mechanism based on Features Extracted from Converted Malware Binary Images [0.22843885788439805]
We use malware binary images and then extract different features from the same and then employ different ML-classifiers on the dataset thus obtained. We show that this technique is successful in differentiating classes of malware based on the features extracted.
arXiv Detail & Related papers (2021-04-14T06:55:52Z)
Being Single Has Benefits. Instance Poisoning to Deceive Malware Classifiers [47.828297621738265]
We show how an attacker can launch a sophisticated and efficient poisoning attack targeting the dataset used to train a malware classifier. As opposed to other poisoning attacks in the malware detection domain, our attack does not focus on malware families but rather on specific malware instances that contain an implanted trigger. We propose a comprehensive detection approach that could serve as a future sophisticated defense against this newly discovered severe threat.
arXiv Detail & Related papers (2020-10-30T15:27:44Z)
Detecting malicious PDF using CNN [46.86114958340962]
Malicious PDF files represent one of the biggest threats to computer security. We propose a novel algorithm that uses an ensemble of Convolutional Neural Network (CNN) on the byte level of the file. We show, using a data set of 90000 files downloadable online, that our approach maintains a high detection rate (94%) of PDF malware.
arXiv Detail & Related papers (2020-07-24T18:27:45Z)
DNS Tunneling: A Deep Learning based Lexicographical Detection Approach [1.3701366534590496]
DNS Tunneling is attractive to hackers who exploit it to establish bidirectional communication with machines infected with malware. The present work proposes a detection approach based on a Convolutional Neural Network (CNN) with a minimal architecture complexity. Despite its simple architecture, the resulting CNN model correctly detected more than 92% of total Tunneling domains with a false positive rate close to 0.8%.
arXiv Detail & Related papers (2020-06-11T00:10:13Z)

This list is automatically generated from the titles and abstracts of the papers in this site.