Detection of malicious and low throughput data exfiltration over the DNS protocol

Asaf Nadler, Avi Aminov, Asaf Shabtai

Computers & Security 80, 36-53, 2019

In the presence of security countermeasures, a malware designed for data exfiltration must use a covert channel to achieve its goal. The Domain Name System (DNS) protocol is a covert channel commonly used by malware developers today for this purpose. Although the detection of covert channels using the DNS has been studied for the past decade, prior research has largely dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection should not be minimized, an entire class of low throughput DNS exfiltration malware has been overlooked. In this study, we propose a method for detecting both tunneling and low throughput data exfiltration over the DNS. After determining that previously detected malware used Internet domains that were registered for a cyber-campaign rather than compromising existing legitimate domains, we focus on detecting and …