Improving the Identification of Real-world Malware's DNS Covert Channels Using Locality Sensitive Hashing
- URL: http://arxiv.org/abs/2511.20229v1
- Date: Tue, 25 Nov 2025 12:00:58 GMT
- Title: Improving the Identification of Real-world Malware's DNS Covert Channels Using Locality Sensitive Hashing
- Authors: Pascal Ruffing, Denis Petrov, Sebastian Zillien, Steffen Wendzel,
- Abstract summary: We present the first application of Locality Sensitive Hashing to the detection and identification of real-world malware utilizing DNS covert channels.<n>Our approach encodes DNS subdomain sequences into statistical similarity features that effectively capture anomalies indicative of malicious activity.
- Score: 0.0
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Nowadays, malware increasingly uses DNS-based covert channels in order to evade detection and maintain stealthy communication with its command-and-control servers. While prior work has focused on detecting such activity, identifying specific malware families and their behaviors from captured network traffic remains challenging due to the variability of DNS. In this paper, we present the first application of Locality Sensitive Hashing to the detection and identification of real-world malware utilizing DNS covert channels. Our approach encodes DNS subdomain sequences into statistical similarity features that effectively capture anomalies indicative of malicious activity. Combined with a Random Forest classifier, our method achieves higher accuracy and reduced false positive rates than prior approaches, while demonstrating improved robustness and generalization to previously unseen or modified malware samples. We further demonstrate that our approach enables reliable classification of malware behavior (e.g., uploading or downloading of files), based solely on DNS subdomains.
Related papers
- DNS Tunneling: Threat Landscape and Improved Detection Solutions [1.6874375111244329]
We propose a novel approach to detect DNS tunneling with machine learning algorithms.<n>We combine machine learning algorithms to analyze the traffic by using features extracted from DNS traffic.<n>Analyses results show that the proposed approach is a good candidate to detect DNS tunneling accurately.
arXiv Detail & Related papers (2025-07-14T13:37:48Z) - BotTrans: A Multi-Source Graph Domain Adaptation Approach for Social Bot Detection [55.31623652907614]
We propose a multi-source graph domain adaptation model named textitBotTrans for detecting social bots.<n>We first leverage the labeling knowledge shared across multiple source networks to establish a cross-source-domain topology.<n>We then aggregate cross-domain neighbor information to enhance the discriminability of source node embeddings.
arXiv Detail & Related papers (2025-06-12T02:10:36Z) - Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences [0.0]
Domainator is an approach to detect and differentiate state-of-the-art malware and DNS tunneling tools.<n>We evaluate our approach with 7 different malware samples and tunneling tools and can identify the particular malware based on its DNS traffic.
arXiv Detail & Related papers (2025-05-28T10:52:19Z) - TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain [8.38094558878305]
Domain Name System (DNS) is vulnerable to some malicious attacks, including DNS cache poisoning.
This paper presents TI-DNS, a blockchain-based DNS resolution architecture designed to detect and correct the forged DNS records.
TI-DNS is easy to be adopted as it only requires modifications to the resolver side of current DNS infrastructure.
arXiv Detail & Related papers (2023-12-07T08:03:10Z) - Detection of Malicious DNS-over-HTTPS Traffic: An Anomaly Detection Approach using Autoencoders [0.0]
We design an autoencoder that is capable of detecting malicious DNS traffic by only observing the encrypted DoH traffic.
We find that our proposed autoencoder achieves the highest detection performance, with a median F-1 score of 99% over several types of malicious traffic.
arXiv Detail & Related papers (2023-10-17T15:03:37Z) - DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified
Robustness [58.23214712926585]
We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection.
Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables.
We are the first to offer certified robustness in the realm of static detection of malware executables.
arXiv Detail & Related papers (2023-03-20T17:25:22Z) - Mate! Are You Really Aware? An Explainability-Guided Testing Framework
for Robustness of Malware Detectors [49.34155921877441]
We propose an explainability-guided and model-agnostic testing framework for robustness of malware detectors.
We then use this framework to test several state-of-the-art malware detectors' abilities to detect manipulated malware.
Our findings shed light on the limitations of current malware detectors, as well as how they can be improved.
arXiv Detail & Related papers (2021-11-19T08:02:38Z) - Unsupervised Out-of-Domain Detection via Pre-trained Transformers [56.689635664358256]
Out-of-domain inputs can lead to unpredictable outputs and sometimes catastrophic safety issues.
Our work tackles the problem of detecting out-of-domain samples with only unsupervised in-domain data.
Two domain-specific fine-tuning approaches are further proposed to boost detection accuracy.
arXiv Detail & Related papers (2021-06-02T05:21:25Z) - Being Single Has Benefits. Instance Poisoning to Deceive Malware
Classifiers [47.828297621738265]
We show how an attacker can launch a sophisticated and efficient poisoning attack targeting the dataset used to train a malware classifier.
As opposed to other poisoning attacks in the malware detection domain, our attack does not focus on malware families but rather on specific malware instances that contain an implanted trigger.
We propose a comprehensive detection approach that could serve as a future sophisticated defense against this newly discovered severe threat.
arXiv Detail & Related papers (2020-10-30T15:27:44Z) - Adversarial EXEmples: A Survey and Experimental Evaluation of Practical
Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes.
We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks.
These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
arXiv Detail & Related papers (2020-08-17T07:16:57Z) - DNS Tunneling: A Deep Learning based Lexicographical Detection Approach [1.3701366534590496]
DNS Tunneling is attractive to hackers who exploit it to establish bidirectional communication with machines infected with malware.
The present work proposes a detection approach based on a Convolutional Neural Network (CNN) with a minimal architecture complexity.
Despite its simple architecture, the resulting CNN model correctly detected more than 92% of total Tunneling domains with a false positive rate close to 0.8%.
arXiv Detail & Related papers (2020-06-11T00:10:13Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.