Real-Time Detection of DNS Exfiltration and Tunneling from Enterprise Networks

Enterprise networks constantly face the threat of valuable and sensitive data being stolen by cyber-attackers. Sophisticated attackers are increasingly exploiting the Domain Name System (DNS) channel for exfiltrating data as well as maintaining tunneled command and control communications for malware. This is because DNS traffic is usually allowed to pass through enterprise firewalls without deep inspection or state maintenance, thereby providing a covert channel for attackers to encode low volumes of data without fear of detection.This paper develops and evaluates a real-time mechanism for detecting exfiltration and tunneling of data over DNS. Unlike prior solutions that operate off-line or in the network core, ours works in real-time at the enterprise edge. Our first contribution is to develop, tune, and train a machine learning algorithm to detect anomalies in DNS queries using a benign dataset of top rank primary domains from two enterprise networks. Our second contribution is to implement our scheme on live 10 Gbps traffic streams from the network borders of the two organizations, inject more than a million malicious DNS queries generated via an exfiltration tool, and show that our solution is able to identify them with high accuracy. Our tools and datasets are made available to the public for validation and further research.