Deep Learning Based DNS Tunneling Detection and Blocking System

Abstract

The main purpose of DNS is to convert domain names into IPs. Due to the inadequate precautions taken for the security of DNS, it is used for malicious communication or data leakage. Within the scope of this study, a real-time deep network-based system is proposed on live networks to prevent the common DNS tunneling threats over DNS. The decisionmaking capability of the proposed system at the instant of threat on a live system is the particular feature of the study. Networks trained with various deep network topologies by l using the data from Alexa top 1 million sites were tested on a live network. The system was integrated to the network during the tests to prevent threats in real-time. The result of the tests reveal that the threats were blocked with success rate of 99.91%. Obtained results confirm that we can block almost all tunnel attacks over DNS protocol. In addition, the average time to block each tunneled package was calculated to be 0.923 ms. This time clearly demonstrates that the network flow will not be affected, and no delay will be experienced in the operation of our system in real-time.