A security model for DNS tunnel detection on cloud platform

Abstract

DNS tunneling uses DNS protocol features to establish command and control channels thus being possibly exploited as a malicious tool for data exfiltration. DNS tunneling security threats affect crossplatform systems within local and cloud computing resources. This article proposes an effective DNS tunnel detection methodology integrating cloud-based resources. The proposed detection methods compose an unsupervised machine-learning model execution for anomaly identification. The validation uses a collected DNS traffic dataset and shows the practical approach for C2, data exfiltration, and heartbeat tunnel test situations, as high levels of anomaly detection are obtained even for those lightweight data during the transfer process. This study has an operational approach and could be adapted to compose security control systems for organizations.