MétaCan
Menu
Back to cohort
Record W4200477998 · doi:10.33640/2405-609x.3155

Detecting Malicious DNS Queries Over Encrypted Tunnels Using Statistical Analysis and Bi-Directional Recurrent Neural Networks

2021· article· en· W4200477998 on OpenAlex
Mohammad Al-Fawa’reh, Zain Ashi, Mousa Tayseer Jafar

Why this work is in the frame

A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.

aboutThe title or abstract carries a Canadian signal from the geographic lexicon.
no affNo Canadian affiliation: this work is invisible to an affiliation-only frame.
No Canadian affiliation. An affiliation-only frame, the usual design, would never have seen this work. It is one of the works that make the case for inverting the frame.

Bibliographic record

VenueKarbala International Journal of Modern Science · 2021
Typearticle
Languageen
FieldComputer Science
TopicInternet Traffic Analysis and Secure E-voting
Canadian institutionsnot available
FundersYarmouk University
KeywordsComputer scienceBotnetDomain Name SystemComputer securityExploitMalwareComputer networkBlacklistNetwork administratorNetwork securityEncryptionRobustness (evolution)Intrusion detection systemThe InternetWorld Wide Web

Abstract

fetched live from OpenAlex

The exponential rise in the number of malicious threats targeting computer networks and digital services puts network infrastructure in jeopardy. Domain name protocol attacks are one of the most pervasive network attacks posing a threat to networks, whereby attackers send harmful information to the network; this type of threat is identified as DNS tunneling. The DNS protocol has recently gained increased attention from cyber-attackers, targeting organizations with a web presence or reliance on e-commerce businesses. Cyber-attackers can subtly exploit the contents of encrypted DNS packets that are sent across covert network tunnels, which are difficult for firewalls and blacklist detection methods to detect. Therefore, efficient methods for detecting DNS intrusions in the network are required. Machine learning (ML), deep learning (DL), and computational intelligence models have proved to be increasingly effective in dealing with these cyber-attacks, especially when using an appropriate dataset. This paper proposes an intrusion detection model to detect malicious DNS over HTTPS (DoH) queries among network covert tunnels, using statistical analysis and Bi-directional Recurrent Neural Network (BRNN) techniques, based on the flow level of the network traffic. The proposed approach was tested and evaluated based on a realistic dataset called CIRA-CIC-DoHBrw-2020, provided by the Canadian Institute for Cybersecurity. Experiments have shown that the robustness of the model is strong, with a detection rate of 100%. Furthermore, the proposed model achieved high performance in terms of the accuracy rate in detecting malicious DoH queries, with low false-negative and false-positive rates. Furthermore, the number of features used is fewer than other approaches, making it perform faster in the training and testing phases.

Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.

Full frame distilled prediction

Teacher imitation

Not calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.

metaresearch head score (Codex)0.001
metaresearch head score (Gemma)0.001
Version: codex-gemma-dda1882f352aValidation status: machine_predicted_unvalidated
Candidate categoriesnone
Consensus categoriesnone
DomainCandidate signal: none · Consensus signal: none
Study designCandidate signal: Simulation or modeling · Consensus signal: Simulation or modeling
GenreCandidate signal: Empirical · Consensus signal: none
Teacher disagreement score0.574
Threshold uncertainty score0.866

Codex and Gemma teacher scores by category

CategoryCodexGemma
Metaresearch0.0010.001
Meta-epidemiology (narrow)0.0000.000
Meta-epidemiology (broad)0.0000.000
Bibliometrics0.0010.001
Science and technology studies0.0000.000
Scholarly communication0.0010.001
Open science0.0010.000
Research integrity0.0000.000
Insufficient payload (model declined to judge)0.0000.000

Machine scores (provisional)

The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.

Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.

Opus teacher head0.017
GPT teacher head0.291
Teacher spread0.273 · how far apart the two teachers sit on this one work
Validation statusscore_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it