Detecting malicious DoH traffic: Leveraging small sample analysis and adversarial networks for detection

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2024-06-28 DOI:10.1016/j.jisa.2024.103827

Shaoqian Wu, Wei Wang, Zhanmeng Ding

{"title":"Detecting malicious DoH traffic: Leveraging small sample analysis and adversarial networks for detection","authors":"Shaoqian Wu, Wei Wang, Zhanmeng Ding","doi":"10.1016/j.jisa.2024.103827","DOIUrl":null,"url":null,"abstract":"<div><p>In light of the escalating frequency of DNS attacks, it is imperative to bolster user security and privacy through the encryption of DNS queries. However, conventional methods for detecting DNS traffic are no longer effective in identifying encrypted traffic, particularly with the utilization of the DNS-over-HTTPS (DoH) protocol, which employs secure HTTPS for DNS resolution. To confront this challenge, we propose a novel model for detecting malicious DoH traffic, named DoH-TriCGAN, which distinguishes between non-DoH, benign DoH, and malicious DoH traffic. DoH-TriCGAN employs a conditional generative adversarial network comprising three network components, for which we only provide additional information to the generator. We extracted different small sample datasets and large sample dataset from the CIRA-CIC-DoHBrw-2020 dataset, to evaluate the efficiency and effectiveness of the proposed DoH-TriCGAN model, and compared the quality of the generated synthetic data. To establish a benchmark, we utilized the six metrics – accuracy, precision, recall, F1-score, ROC_AUC, and PR_AUC – to assess the performance of our model. The results demonstrate our proposed model outperforms the other five models (RF, XGBoost, BiGRU, Autoencoder, Transformer), showing the best performance particularly in scenarios with limited training samples, while also demonstrating data expansion capabilities by generating high-quality synthetic data to address the issue of insufficient network traffic.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8000,"publicationDate":"2024-06-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624001303","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

In light of the escalating frequency of DNS attacks, it is imperative to bolster user security and privacy through the encryption of DNS queries. However, conventional methods for detecting DNS traffic are no longer effective in identifying encrypted traffic, particularly with the utilization of the DNS-over-HTTPS (DoH) protocol, which employs secure HTTPS for DNS resolution. To confront this challenge, we propose a novel model for detecting malicious DoH traffic, named DoH-TriCGAN, which distinguishes between non-DoH, benign DoH, and malicious DoH traffic. DoH-TriCGAN employs a conditional generative adversarial network comprising three network components, for which we only provide additional information to the generator. We extracted different small sample datasets and large sample dataset from the CIRA-CIC-DoHBrw-2020 dataset, to evaluate the efficiency and effectiveness of the proposed DoH-TriCGAN model, and compared the quality of the generated synthetic data. To establish a benchmark, we utilized the six metrics – accuracy, precision, recall, F1-score, ROC_AUC, and PR_AUC – to assess the performance of our model. The results demonstrate our proposed model outperforms the other five models (RF, XGBoost, BiGRU, Autoencoder, Transformer), showing the best performance particularly in scenarios with limited training samples, while also demonstrating data expansion capabilities by generating high-quality synthetic data to address the issue of insufficient network traffic.

查看原文本刊更多论文

检测恶意 DoH 流量：利用小样本分析和对抗网络进行检测

鉴于 DNS 攻击日益频繁，必须通过加密 DNS 查询来加强用户安全和隐私保护。然而，传统的 DNS 流量检测方法已无法有效识别加密流量，尤其是在使用安全 HTTPS 进行 DNS 解析的 DNS-over-HTTPS （DoH）协议的情况下。为了应对这一挑战，我们提出了一种用于检测恶意 DoH 流量的新型模型，命名为 DoH-TriCGAN，它能区分非 DoH、良性 DoH 和恶意 DoH 流量。DoH-TriCGAN 采用了一个条件生成式对抗网络，由三个网络组件组成，我们只向生成器提供额外的信息。我们从 CIRA-CIC-DoHBrw-2020 数据集中提取了不同的小样本数据集和大样本数据集，以评估所提出的 DoH-TriCGAN 模型的效率和有效性，并比较了生成的合成数据的质量。为了建立基准，我们使用了准确率、精确度、召回率、F1-score、ROC_AUC 和 PR_AUC 这六个指标来评估模型的性能。结果表明，我们提出的模型优于其他五个模型（RF、XGBoost、BiGRU、Autoencoder、Transformer），尤其是在训练样本有限的情况下表现最佳，同时还通过生成高质量的合成数据来解决网络流量不足的问题，从而展示了数据扩展能力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.