Skip to content
/ csnet24-dtw-dns-exfiltration Public

Dynamic Time Warping for DNS Tunneling and Data Exfiltration

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

EMCL-Research-ITSecLab/csnet24-dtw-dns-exfiltration

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

81 Commits
dtw_data
dtw_data
 
 
dtw_data_npy
dtw_data_npy
 
 
figs
figs
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
convert_pcap.py
convert_pcap.py
 
 
dtw_plot.py
dtw_plot.py
 
 
dtw_plot_som.py
dtw_plot_som.py
 
 
generate_npy_data.py
generate_npy_data.py
 
 
generate_npy_data_heicloud.py
generate_npy_data_heicloud.py
 
 
generate_npy_plots.py
generate_npy_plots.py
 
 
hyperparam_optimization.py
hyperparam_optimization.py
 
 
live_sniffer.py
live_sniffer.py
 
 
requirements.txt
requirements.txt
 
 
result_15s.json
result_15s.json
 
 
result_1min.json
result_1min.json
 
 
result_30s.json
result_30s.json
 
 
result_45s.json
result_45s.json
 
 
train.py
train.py
 
 
train.sh
train.sh
 
 
utils.py
utils.py
 
 
validate.py
validate.py
 
 
xg.py
xg.py
 
 
xg_dataset.py
xg_dataset.py
 
 
xg_main.py
xg_main.py
 
 

Repository files navigation

Dynamic-Time-Warping for DNS Exfiltration Detection

Detection of DNS tunneling using Dynamic-Time-Warping.

Getting Started

Convert PCAPs to .csv file format:

python dtw_convert_pcap.py

Next, convert CSV files to .npy to train our kNN classifier:

python dtw_data.py
python dtw_data_heicloud.py # not publicly available

Next, train classifier (our skip this step to use the provided one)

python dtwknn.py

DNS Tunneling

Data set

In this study, we investigated the effects of packet_size, entropy, ``. We converted all *.pcap files using Tshark. Due to same IP addresses across the data set, we changed them accordingly.

tshark -r benign_heavy_3.pcap -Y "dns.flags == 0x0100" -T fields -e frame.time -e ip.src -e frame.len
sed -i -- 's/192.168.20.38/1.1.1.3/g' benign_heavy_3.csv

In addition, we also traced DNS tunnels in our lab environment.

Check heiBOX for the PCAPs files.

Verification

In order to validate our results, we implemented a XGBoost Ensemble and validated our performance against a well-established method.

Problems

skTime and Tensorflow

Set XLA_FLAGS for cuda path:

export XLA_FLAGS=--xla_gpu_cuda_data_dir=/usr/lib/cuda

Remove warning:

for a in /sys/bus/pci/devices/*; do echo 0 | sudo tee -a $a/numa_node; done

About

Dynamic Time Warping for DNS Tunneling and Data Exfiltration

Topics

dns-tunneling dns-exfiltration dns-tunneling-detection csnet24

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Languages