Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection

The use of covert-channel methods to bypass security policies has increasing in the last years. Malicious users neutralize security restriction encapsulating protocols like peer-to-peer, chat or http proxy into other allowed protocols like DNS or HTTP. This paper illustrates different approaches to detect one particular covert channel technique: DNS tunneling. Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. A performance evaluation shows the best approach to reach good results by resorting to a unique classification scheme, applicable in the presence of different tunnelled applications.