Profiling DNS tunneling attacks with PCA and mutual information

The use of covert-channel methods to bypass security policies or leak sensitive data has increased in the last years. Malicious users neutralize security restriction through protocol encapsulation, tunneling peer-to-peer, chat, or HTTP packets into allowed protocols such as DNS or HTTP. In this article, we propose an innovative profiling system for DNS tunnels that is based on Principal Component Analysis and Mutual Information. Results from experiments conducted on a live network show that one of the introduced metric is able to characterize anomalies on small DNS servers, while the other behaves better on medium sized servers. Concerning DNS tunneling attacks, the proposed approach reveals to be an efficient tool for traffic profiling in the presence of DNS tunneling.