Detection of malicious and low throughput data exfiltration over the DNS protocol

In the presence of security countermeasures, a malware designed for data exfiltration must use a covert channel to achieve its goal. The Domain Name System (DNS) protocol is a covert channel commonly used by malware developers today for this purpose. Although the detection of covert channels using the DNS has been studied for the past decade, prior research has largely dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection should not be minimized, an entire class of low throughput DNS exfiltration malware has been overlooked. In this study, we propose a method for detecting both tunneling and low throughput data exfiltration over the DNS. After determining that previously detected malware used Internet domains that were registered for a cyber-campaign rather than compromising existing legitimate domains, we focus on detecting and denying requests to these domains as an effective data leakage shutdown. Therefore, our proposed solution handles streaming DNS traffic in order to detect and automatically deny requests to domains that are used for data exchange. The initial data collection phase collects DNS logs per domain in a manner that permits scanning for long periods of time, and is thus capable of dealing with “low and slow” attacks. In the second phase features are extracted based on the querying behavior of each domain, and in the last phase an anomaly detection model is used to classify domains based on their use for data exfiltration. With regard to detection, DNS requests to domains that were classified as being used for data exfiltration will be denied indefinitely. Our method was evaluated on a large-scale recursive DNS server's logs with a peaking high of 47 million requests per hour. Within these DNS logs, we injected data exfiltration traffic from DNS tunneling tools as well as two real-life malware: FrameworkPOS, previously used for the theft of 56M credit cards from Home Depot in 2014, and Backdoor.Win32.Denis, which was active in the Cobalt Kitty APT in 2016. Even when restricting our method to an extremely low false positive rate (i.e., one in fifty thousand domains), it detected all of the above. In addition, the logs are used to compare our system with two recently published methods that focus on detecting DNS tunneling in order to stress the novelty of detecting low throughput exfiltration malware.