DNS Data Exfiltration Detection Using Online Planning for POMDP

Abstract

This paper addresses a problem of blocking Domain Name System (DNS) exfiltration in a computer network. DNS exfiltration implies unauthorized transfer of sensitive data from the organization network to the remote adversary. Given detector of data exfiltration in DNS lookup queries this paper proposes an approach to automate query blocking decisions. More precisely, it defines an L-parametric Partially Observable Markov Decision Process (POMDP) formulation to enforce query blocking strategy on each network egress point, where L is a hyper-parameter that defines necessary level of the network security. The efficiency of the approach is based on (i) absence of interactions between distributed detectors, blocking decisions are taken individually by each detector; (ii) blocking strategy is applied to each particular query, therefore minimizing potentially incorrect blocking decisions.