Tunneling attacks are executed to bypass security policies or leak sensitive data outside of a network. In this paper, we propose an innovative algorithm to profile DNS tunnels. Our approach combines Principal Component Analysis and Mutual Information. The proposed algorithm is validated on a live network. Results show that, under specific conditions, anomalies are correctly characterized through the proposed method. Other cases require instead further investigation.
Feature transformation and Mutual Information for DNS tunneling analysis
Cambiaso E;Aiello M;Mongelli M;Papaleo G
2016
Abstract
Tunneling attacks are executed to bypass security policies or leak sensitive data outside of a network. In this paper, we propose an innovative algorithm to profile DNS tunnels. Our approach combines Principal Component Analysis and Mutual Information. The proposed algorithm is validated on a live network. Results show that, under specific conditions, anomalies are correctly characterized through the proposed method. Other cases require instead further investigation.File in questo prodotto:
Non ci sono file associati a questo prodotto.
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
