Unsupervised learning and rule extraction for Domain Name Server tunneling detection

The paper deals with k-means clustering and logic learning machine (LLM) for the detection of Domain Name Server (DNS) tunneling. As the LLM shows more versatility in rule generation and classification precision with respect to traditional decision trees, the approach reveals to be robust to a large set of system conditions. The detection algorithm is designed to be applied over streaming data, without accurate tuning of algorithms' parameters. An extensive performance evaluation is provided with respect to different tunneling tools and applications; silent intruders are considered. Results show robustness on a test set that exhibits a different behavior from training.