A Hybrid Method of Genetic Algorithm and Support Vector Machine for DNS Tunneling Detection

fuqdan al-ibraheemi


With the expansion of the business over the internet, corporations nowadays are investing numerous amounts of money in the web applications not only for making profit but also for storing their information, communicating with their clients and accommodating transactions. However, there are different threats could make the corporations vulnerable for potential attacks. One of the significant threats is the DNS tunneling which is an attack that exploit the domain name protocol in order to bypass security gateways. This would lead to lose critical information which is a disastrous situation for many organizations. Recently, researchers have paid more attention in the machine learning techniques regarding the process of DNS tunneling. In their approaches, the authors have used different and numerous types of features such as domain length, number of bytes, content, volume of DNS traffic, number of hostnames per domain, geographic location and domain history. Apparently, there is a vital demand to accommodate feature selection task in order to identify the best features. This paper aims to propose a hybrid method of Genetic Algorithm feature selection approach with the Support Vector Machine classifier for the sake of identifying the best features that have the ability to optimize the detection of DNS tunneling. To evaluate the proposed method, a benchmark dataset of DNS tunneling has been used. Results showed that the proposed method has outperformed the conventional SVM by achieving 0.946 of f-measure.


DNS Tunneling; Support Vector Machine; Genetic Algorithm; Feature Selection


P. Hacking, “Reverse DNS Tunneling–Staged Loading Shellcode,” Ty Miller, Blackhat, 2008.

T. van Leijenhorst, K.-W. Chin, and D. Lowe, “On the viability and performance of DNS tunneling,” 2008.

K. Born, and D. Gustafson, "Ngviz: detecting dns tunnels through n-gram visualization and quantitative analysis." p. 47.

K. Born, and D. Gustafson, “Detecting dns tunnels using character frequency analysis,” arXiv preprint arXiv:1004.4358, 2010.

R. Rasmussen, “Do you know what your dns resolver is doing right now,” Security Week. DOI= http://www. securityweek. com/do-you-know-what-your-dnsresolver-doing-right-now, 2012.

M. Dusi, M. Crotti, F. Gringoli, and L. Salgarelli, “Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting,” Computer Networks, vol. 53, no. 1, pp. 81-97, 2009.

P. E. Van Thuan Do, B. Feng, and T. van Do, “Detection of DNS Tunneling in Mobile Networks Using Machine Learning,” Information Science and Applications 2017: ICISA 2017, vol. 424, pp. 221, 2017.

M. Aiello, M. Mongelli, and G. Papaleo, “DNS tunneling detection through statistical fingerprints of protocol messages and machine learning,” International Journal of Communication Systems, vol. 28, no. 14, pp. 1987-2002, 2015.

G. Farnham, and A. Atlasis, “Detecting DNS tunneling,” InfoSec Reading Room, 2013.

S. B. Kotsiantis, I. Zaharakis, and P. Pintelas, "Supervised machine learning: A review of classification techniques," 2007.

M. Dusi, M. Crotti, F. Gringoli, and L. Salgarelli, "Detection of encrypted tunnels across network boundaries." pp. 1738-1744.

F. Allard, R. Dubois, P. Gompel, and M. Morel, Tunneling activities detection using machine learning techniques, DTIC Document, 2010.

M. Aiello, M. Mongelli, and G. Papaleo, "Basic classifiers for DNS tunneling detection." pp. 000880-000885.

A. L. Buczak, P. A. Hanke, G. J. Cancro, M. K. Toma, L. A. Watkins, and J. S. Chavis, "Detection of Tunnels in PCAP Data by Random Forests." p. 16.

M. Aiello, M. Mongelli, E. Cambiaso, and G. Papaleo, “Profiling DNS tunneling attacks with PCA and mutual information,” Logic Journal of IGPL, pp. jzw056, 2016.

I. Homem, P. Papapetrou, and S. Dosis, "Entropy-based Prediction of Network Protocols in the Forensic Analysis of DNS Tunnels."

L. Ferreira, M. Dosciatti, J. Nievola, and E. C. Paraiso, "Using a Genetic Algorithm Approach to Study the Impact of Imbalanced Corpora in Sentiment Analysis."

C.-C. Chang, and C.-J. Lin, “LIBSVM: a library for support vector machines,” ACM Transactions on Intelligent Systems and Technology (TIST), vol. 2, no. 3, pp. 27, 2011.

I. Homem, and P. Papapetrou, “Harnessing Predictive Models for Assisting Network Forensic Investigations of DNS Tunnels,” 2017.

DOI: http://doi.org/10.11591/ijece.v11i1.pp%25p
Total views : 0 times

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

ISSN 2088-8708, e-ISSN 2722-2578