Go to CSCWD 2023 homepageIdentifying DoH Tunnel Traffic Using Core Feathers and Machine Learning Method
Abstract: DNS protocol is a plaintext domain name resolution protocol, which has the risk of privacy disclosure. DNS over HTTPS (DOH) protocol is designed to encrypt DNS traffic, which solves the privacy problem. However, many network attackers use the DOH tunnel for malicious transmission. From the passive traffic, there is no obvious difference between normal DOH traffic and DOH tunnel traffic, which brings great challenges to identify them. At present, researches mainly focus on the plaintext DNS covert tunnel, but less on the encrypted DOH tunnel. In this paper, we propose DOH covert tunnel detection method based on core features and machine learning method using two steps. Firstly, we detect DOH traffic according to the threshold of features. On this basis, we use core features and machine learning methods to detect tunnel traffic in all DOH traffic. Finally, we use self collected and public datasets to verify our method. The results show that the method achieves up to 99 % precision and recall that is superior to state of the art method.
0 Replies
Loading