Next-generation AI for advanced threat detection and security enhancement in DNS over HTTPS

IF 8 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Network and Computer Applications Pub Date : 2025-10-03 DOI:10.1016/j.jnca.2025.104326

Basharat Ali, Guihai Chen

{"title":"Next-generation AI for advanced threat detection and security enhancement in DNS over HTTPS","authors":"Basharat Ali, Guihai Chen","doi":"10.1016/j.jnca.2025.104326","DOIUrl":null,"url":null,"abstract":"<div><div>The widespread adoption of DNS over HTTPS(DoH) has inaugurated a new paradigm of network privacy through the encryption of DNS queries; paradoxically, this very mechanism has been weaponized by malicious actors to orchestrate convert cyberattacks ranging from polymorphic malware delivery and data exfiltration to command-and-control (C2) operations. Classic signature-based solutions that rely on static security policies and packet-depth inspection are rendered useless in the face of encrypted DoH traffic, and today’s AI-driven defense solutions typically fail to achieve adversarial robustness, explainability, and real-time scalability. Bridging these gaps, this paper proposes an AI framework that integrates the best practices in machine learning together with secure execution environments to offer resilience, transparency, and low-latency DoH threat detection. Specifically, Capsule Networks (CapsNets) are used to learn hierarchical traffic flow patterns, Graph Transformers to uncover temporal anomalies, and Contrastive Self-Supervised Learning (CSSL) to leverage massive unlabeled datasets. Adversarial robustness is reinforced through perturbation-aware training and mutation-driven fuzzing simulations, while interpretability is enhanced via SHAP and LIME, rendering AI decision-making processes more intelligible to analysts. A distributed Apache Flink/Kafka pipeline enables real-time processing of DoH streams at scale, reducing detection latency by 50% compared to batch-oriented systems. Furthermore, Trusted Execution Environments(TEEs) safeguard model inference against tempering, mitigating insider threats and runtime exploitation. Empirical evaluation on the doh_real_world_2022 dataset demonstrates 99.1% detection accuracy with CapsNets, 98.8% with Graph Transformers, and an 80% improvement in adversarial resilience. These developments collectively propel the discipline of encrypted traffic analysis and establish a benchmark for safeguarding cybersecurity protocols such as QUIC and HTTP/3 that are gaining traction. The findings validate the feasibility of AI-driven, privacy-augmented security systems during an era of escalating cyber-attacks and demands algorithmic transparency.</div></div>","PeriodicalId":54784,"journal":{"name":"Journal of Network and Computer Applications","volume":"244 ","pages":"Article 104326"},"PeriodicalIF":8.0000,"publicationDate":"2025-10-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Computer Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1084804525002231","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

The widespread adoption of DNS over HTTPS(DoH) has inaugurated a new paradigm of network privacy through the encryption of DNS queries; paradoxically, this very mechanism has been weaponized by malicious actors to orchestrate convert cyberattacks ranging from polymorphic malware delivery and data exfiltration to command-and-control (C2) operations. Classic signature-based solutions that rely on static security policies and packet-depth inspection are rendered useless in the face of encrypted DoH traffic, and today’s AI-driven defense solutions typically fail to achieve adversarial robustness, explainability, and real-time scalability. Bridging these gaps, this paper proposes an AI framework that integrates the best practices in machine learning together with secure execution environments to offer resilience, transparency, and low-latency DoH threat detection. Specifically, Capsule Networks (CapsNets) are used to learn hierarchical traffic flow patterns, Graph Transformers to uncover temporal anomalies, and Contrastive Self-Supervised Learning (CSSL) to leverage massive unlabeled datasets. Adversarial robustness is reinforced through perturbation-aware training and mutation-driven fuzzing simulations, while interpretability is enhanced via SHAP and LIME, rendering AI decision-making processes more intelligible to analysts. A distributed Apache Flink/Kafka pipeline enables real-time processing of DoH streams at scale, reducing detection latency by 50% compared to batch-oriented systems. Furthermore, Trusted Execution Environments(TEEs) safeguard model inference against tempering, mitigating insider threats and runtime exploitation. Empirical evaluation on the doh_real_world_2022 dataset demonstrates 99.1% detection accuracy with CapsNets, 98.8% with Graph Transformers, and an 80% improvement in adversarial resilience. These developments collectively propel the discipline of encrypted traffic analysis and establish a benchmark for safeguarding cybersecurity protocols such as QUIC and HTTP/3 that are gaining traction. The findings validate the feasibility of AI-driven, privacy-augmented security systems during an era of escalating cyber-attacks and demands algorithmic transparency.

查看原文本刊更多论文

下一代AI用于通过HTTPS在DNS中进行高级威胁检测和安全增强

通过对DNS查询进行加密，DNS over HTTPS（DoH）的广泛采用开创了一种新的网络隐私范式；矛盾的是，这种机制已经被恶意行为者武器化，以协调转换网络攻击，从多态恶意软件交付和数据泄露到指挥和控制（C2）操作。经典的基于签名的解决方案依赖于静态安全策略和包深度检测，在加密的DoH流量面前变得无用，而今天的人工智能驱动的防御解决方案通常无法实现对抗性的鲁棒性、可解释性和实时可扩展性。为了弥合这些差距，本文提出了一个人工智能框架，该框架将机器学习中的最佳实践与安全执行环境相结合，以提供弹性、透明度和低延迟DoH威胁检测。具体来说，胶囊网络（CapsNets）用于学习分层交通流模式，图形转换器用于发现时间异常，对比自监督学习（CSSL）用于利用大量未标记的数据集。对抗鲁棒性通过扰动感知训练和突变驱动的模糊模拟得到加强，而可解释性通过SHAP和LIME得到增强，使人工智能决策过程对分析师更容易理解。分布式Apache Flink/Kafka管道支持大规模实时处理DoH流，与面向批处理的系统相比，将检测延迟减少50%。此外，可信执行环境（tee）保护模型推理不受篡改，减轻内部威胁和运行时利用。对doh_real_world_2022数据集的实证评估表明，capnet的检测准确率为99.1%，Graph transformer的检测准确率为98.8%，对抗弹性提高了80%。这些发展共同推动了加密流量分析的发展，并为保护网络安全协议（如QUIC和HTTP/3）建立了基准。研究结果验证了在网络攻击不断升级的时代，人工智能驱动的、增强隐私的安全系统的可行性，并要求算法透明。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Network and Computer Applications 工程技术-计算机：跨学科应用

CiteScore

21.50

自引率

3.40%

发文量

142

审稿时长

37 days

期刊介绍： The Journal of Network and Computer Applications welcomes research contributions, surveys, and notes in all areas relating to computer networks and applications thereof. Sample topics include new design techniques, interesting or novel applications, components or standards; computer networks with tools such as WWW; emerging standards for internet protocols; Wireless networks; Mobile Computing; emerging computing models such as cloud computing, grid computing; applications of networked systems for remote collaboration and telemedicine, etc. The journal is abstracted and indexed in Scopus, Engineering Index, Web of Science, Science Citation Index Expanded and INSPEC.