DNS Tunneling Detection Method Based on Multilabel Support Vector Machine

الملخص EN

DNS tunneling is a method used by malicious users who intend to bypass the firewall to send or receive commands and data.

This has a significant impact on revealing or releasing classified information.

Several researchers have examined the use of machine learning in terms of detecting DNS tunneling.

However, these studies have treated the problem of DNS tunneling as a binary classification where the class label is either legitimate or tunnel.

In fact, there are different types of DNS tunneling such as FTP-DNS tunneling, HTTP-DNS tunneling, HTTPS-DNS tunneling, and POP3-DNS tunneling.

Therefore, there is a vital demand to not only detect the DNS tunneling but rather classify such tunnel.

This study aims to propose a multilabel support vector machine in order to detect and classify the DNS tunneling.

The proposed method has been evaluated using a benchmark dataset that contains numerous DNS queries and is compared with a multilabel Bayesian classifier based on the number of corrected classified DNS tunneling instances.

Experimental results demonstrate the efficacy of the proposed SVM classification method by obtaining an f-measure of 0.80.