OptiTuneD: An Optimized Framework for Zero-Day DNS Tunnel Detection Using N-Grams

Abstract

Domain Name System (DNS) is an essential Internet component that resolves domain names into IP addresses. Traditionally, the DNS protocol was not intended to carry data but to facilitate the resolution of domain names to IP addresses. As a result, firewalls and other security solutions do not check the payload of DNS traffic, making it an ideal choice for attackers to exploit DNS protocol for malicious activities such as DNS tunneling or DNS exfiltration. Additionally, the openness of the DNS port on the network further paves the way for attackers to use DNS tunnels for encapsulating their fraudulent data within DNS queries and responses. We present OptiTuneD, a novel, lightweight, simple, yet highly effective framework for detecting zero-day DNS tunnels. OptiTuneD is trained using n-grams extracted from the benign domain names in DNS request packets, and when the unseen domain name is detected during identification, the alarm is generated. To verify the validity of our proposed method, we tested OptiTuneD with three publicly available datasets. The experimental results show that the recall rate obtained is 99.99%, 99.97%, and 92.63% on Dataset-1, Dataset-2, and Dataset-3, respectively. On the other hand, the identification time is 0.16 seconds, 0.13 seconds, and 0.41 on Dataset-1, Dataset-2, and Dataset-3, respectively. We have compared OptiTuneD with the closely related state-of-the-art method and found that the average recall rate of OptiTuneD is nearly 10% more and nearly 6 times faster than the other method. © 2023 IEEE.