HERALD: Hybrid Ensemble Approach for Robust Anomaly Detection in encrypted DNS traffic

IF 8 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Network and Computer Applications Pub Date : 2025-09-28 DOI:10.1016/j.jnca.2025.104342

Umar Sa’ad , Demeke Shumeye Lakew , Nhu-Ngoc Dao , Sungrae Cho

{"title":"HERALD: Hybrid Ensemble Approach for Robust Anomaly Detection in encrypted DNS traffic","authors":"Umar Sa’ad , Demeke Shumeye Lakew , Nhu-Ngoc Dao , Sungrae Cho","doi":"10.1016/j.jnca.2025.104342","DOIUrl":null,"url":null,"abstract":"<div><div>The proliferation of encrypted Domain Name System (DNS) traffic through protocols like DNS over Hypertext Transfer Protocol Secure presents significant privacy advantages but creates new challenges for anomaly detection. Traditional security mechanisms that rely on payload inspection become ineffective, necessitating advanced strategies capable of detecting threats in encrypted traffic. This study introduces the Hybrid Ensemble Approach for Robust Anomaly Detection (HERALD), a novel framework designed to detect anomalies in encrypted DNS traffic. HERALD combines unsupervised base detectors, including Isolation Forest (IF), One-Class Support Vector Machine (OCSVM), and Local Outlier Factor (LOF), with a supervised Random Forest meta-model, leveraging the strengths of both paradigms. Our comprehensive evaluation demonstrates HERALD’s exceptional performance, achieving 99.99 percent accuracy, precision, recall, and F1-score on the CIRA-CIC-DoHBrw-2020 dataset, while maintaining competitive computational efficiency with 110s training time and 2.2ms inference time. HERALD also demonstrates superior generalization capabilities on cross-dataset evaluations, exhibiting minimal performance degradation of only 2-4 percent when tested on previously unseen attack patterns, outperforming purely supervised models, which showed 5-8 percent degradation. The interpretability analysis, incorporating feature importance, accumulated local effects, and local interpretable model-agnostic explanations, provides insights into the relative contributions of each base detector, with OCSVM emerging as the most influential component, followed by IF and LOF. This study advances the field of network security by offering a robust, interpretable, and adaptable solution for detecting anomalies in encrypted DNS traffic that balances a high detection rate with a low false-positive rate.</div></div>","PeriodicalId":54784,"journal":{"name":"Journal of Network and Computer Applications","volume":"244 ","pages":"Article 104342"},"PeriodicalIF":8.0000,"publicationDate":"2025-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Computer Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1084804525002395","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

The proliferation of encrypted Domain Name System (DNS) traffic through protocols like DNS over Hypertext Transfer Protocol Secure presents significant privacy advantages but creates new challenges for anomaly detection. Traditional security mechanisms that rely on payload inspection become ineffective, necessitating advanced strategies capable of detecting threats in encrypted traffic. This study introduces the Hybrid Ensemble Approach for Robust Anomaly Detection (HERALD), a novel framework designed to detect anomalies in encrypted DNS traffic. HERALD combines unsupervised base detectors, including Isolation Forest (IF), One-Class Support Vector Machine (OCSVM), and Local Outlier Factor (LOF), with a supervised Random Forest meta-model, leveraging the strengths of both paradigms. Our comprehensive evaluation demonstrates HERALD’s exceptional performance, achieving 99.99 percent accuracy, precision, recall, and F1-score on the CIRA-CIC-DoHBrw-2020 dataset, while maintaining competitive computational efficiency with 110s training time and 2.2ms inference time. HERALD also demonstrates superior generalization capabilities on cross-dataset evaluations, exhibiting minimal performance degradation of only 2-4 percent when tested on previously unseen attack patterns, outperforming purely supervised models, which showed 5-8 percent degradation. The interpretability analysis, incorporating feature importance, accumulated local effects, and local interpretable model-agnostic explanations, provides insights into the relative contributions of each base detector, with OCSVM emerging as the most influential component, followed by IF and LOF. This study advances the field of network security by offering a robust, interpretable, and adaptable solution for detecting anomalies in encrypted DNS traffic that balances a high detection rate with a low false-positive rate.

查看原文本刊更多论文

基于混合集成的加密DNS流量鲁棒异常检测方法

加密域名系统（DNS）流量的激增通过超文本传输协议安全DNS等协议提供了显著的隐私优势，但也为异常检测带来了新的挑战。依赖于有效负载检查的传统安全机制变得无效，需要能够检测加密流量中的威胁的高级策略。本研究介绍了用于鲁棒异常检测的混合集成方法（HERALD），这是一种用于检测加密DNS流量异常的新框架。HERALD将无监督基础检测器（包括隔离森林（IF）、一类支持向量机（OCSVM）和局部离群因子（LOF））与监督随机森林元模型相结合，利用了两种范式的优势。我们的综合评估证明了HERALD的卓越性能，在CIRA-CIC-DoHBrw-2020数据集上实现了99.99%的正确率、精密度、召回率和f1分数，同时保持了具有竞争力的计算效率，训练时间为110秒，推理时间为2.2毫秒。HERALD还在跨数据集评估中展示了卓越的泛化能力，在以前未见过的攻击模式上测试时，仅显示出最小的性能下降2- 4%，优于纯监督模型，后者显示出5- 8%的下降。可解释性分析，结合特征重要性、累积局部效应和局部可解释模型不可知的解释，提供了对每个基础检测器的相对贡献的见解，其中OCSVM成为最具影响力的组成部分，其次是IF和LOF。本研究通过提供一个健壮的、可解释的、适应性强的解决方案来检测加密DNS流量中的异常，从而在高检测率和低误报率之间取得平衡，从而推动了网络安全领域的发展。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Network and Computer Applications 工程技术-计算机：跨学科应用

CiteScore

21.50

自引率

3.40%

发文量

142

审稿时长

37 days

期刊介绍： The Journal of Network and Computer Applications welcomes research contributions, surveys, and notes in all areas relating to computer networks and applications thereof. Sample topics include new design techniques, interesting or novel applications, components or standards; computer networks with tools such as WWW; emerging standards for internet protocols; Wireless networks; Mobile Computing; emerging computing models such as cloud computing, grid computing; applications of networked systems for remote collaboration and telemedicine, etc. The journal is abstracted and indexed in Scopus, Engineering Index, Web of Science, Science Citation Index Expanded and INSPEC.