Network Flow Entropy for Identifying Malicious Behaviours in DNS Tunnels

Proceedings of the 16th International Conference on Availability, Reliability and Security Pub Date : 2021-08-16 DOI:10.1145/3465481.3470089

Yulduz Khodjaeva, Nur Zincir-Heywood

{"title":"Network Flow Entropy for Identifying Malicious Behaviours in DNS Tunnels","authors":"Yulduz Khodjaeva, Nur Zincir-Heywood","doi":"10.1145/3465481.3470089","DOIUrl":null,"url":null,"abstract":"In this paper, we propose the concept of ”entropy of a flow” to augment flow statistical features for identifying malicious behaviours in DNS tunnels, specifically DNS over HTTPS traffic. In order to achieve this, we explore the use of three flow exporters, namely Argus, DoHlyzer and Tranalyzer2 to extract flow statistical features. We then augment these features using different ways of calculating the entropy of a flow. To this end, we investigate three entropy calculation approaches: Entropy over all packets of a flow, Entropy over the first 96 bytes of a flow, and Entropy over the first n-packets of a flow. We evaluate five machine learning classifiers, namely Decision Tree, Random Forest, Logistic Regression, Support Vector Machine and Naive Bayes using these features in order to identify malicious behaviours in different publicly available datasets. The evaluations show that the Decision Tree classifier achieves an F-measure of 99.7% when flow statistical features are augmented with entropy of a flow calculated over the first 4 packets.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"58 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 16th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3465481.3470089","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

In this paper, we propose the concept of ”entropy of a flow” to augment flow statistical features for identifying malicious behaviours in DNS tunnels, specifically DNS over HTTPS traffic. In order to achieve this, we explore the use of three flow exporters, namely Argus, DoHlyzer and Tranalyzer2 to extract flow statistical features. We then augment these features using different ways of calculating the entropy of a flow. To this end, we investigate three entropy calculation approaches: Entropy over all packets of a flow, Entropy over the first 96 bytes of a flow, and Entropy over the first n-packets of a flow. We evaluate five machine learning classifiers, namely Decision Tree, Random Forest, Logistic Regression, Support Vector Machine and Naive Bayes using these features in order to identify malicious behaviours in different publicly available datasets. The evaluations show that the Decision Tree classifier achieves an F-measure of 99.7% when flow statistical features are augmented with entropy of a flow calculated over the first 4 packets.

查看原文本刊更多论文

基于网络流量熵的DNS隧道恶意行为识别

在本文中，我们提出了“流量熵”的概念，以增强流量统计特征，以识别DNS隧道中的恶意行为，特别是DNS over HTTPS流量。为了实现这一点，我们探索了使用三个流量导出器，即Argus, DoHlyzer和Tranalyzer2来提取流量统计特征。然后，我们使用计算流熵的不同方法来增强这些特征。为此，我们研究了三种熵计算方法:流的所有数据包的熵，流的前96个字节的熵，流的前n个数据包的熵。我们评估了五种机器学习分类器，即决策树，随机森林，逻辑回归，支持向量机和朴素贝叶斯，使用这些特征来识别不同公开可用数据集中的恶意行为。评估表明，当流量统计特征与前4个数据包计算的流量熵增强时，决策树分类器的f度量达到99.7%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 16th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量