DoH Insight: Detecting DNS over HTTPS by Machine Learning

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F63839172%3A_____%2F20%3A10133298" target="_blank" >RIV/63839172:_____/20:10133298 - isvavai.cz</a>

Nalezeny alternativní kódy

RIV/68407700:21240/20:00342630

Výsledek na webu

<a href="http://dx.doi.org/10.1145/3407023.3409192" target="_blank" >http://dx.doi.org/10.1145/3407023.3409192</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1145/3407023.3409192" target="_blank" >10.1145/3407023.3409192</a>

Jazyk výsledku

angličtina

Název v původním jazyce

DoH Insight: Detecting DNS over HTTPS by Machine Learning

Popis výsledku v původním jazyce

Over the past few years, a new protocol DNS over HTTPS (DoH) has been created to improve users&apos; privacy on the internet. DoH can be used instead of traditional DNS for domain name translation with encryption as a benefit. This new feature also brings some threats because various security tools depend on readable information from DNS to identify, e.g., malware, botnet communication, and data exfiltration. Therefore, this paper focuses on the possibilities of encrypted traffic analysis, especially on the accurate recognition of DoH. The aim is to evaluate what information (if any) can be gained from HTTPS extended IP flow data using machine learning. We evaluated five popular ML methods to find the best DoH classifiers. The experiments show that the accuracy of DoH recognition is over 99.9 %. Additionally, it is also possible to identify the application that was used for DoH communication, since we have discovered (using created datasets) significant differences in the behavior of Firefox, Chrome, and cloudflared. Our trained classifier can distinguish between DoH clients with the 99.9 % accuracy.

Název v anglickém jazyce

DoH Insight: Detecting DNS over HTTPS by Machine Learning

Popis výsledku anglicky

Over the past few years, a new protocol DNS over HTTPS (DoH) has been created to improve users&apos; privacy on the internet. DoH can be used instead of traditional DNS for domain name translation with encryption as a benefit. This new feature also brings some threats because various security tools depend on readable information from DNS to identify, e.g., malware, botnet communication, and data exfiltration. Therefore, this paper focuses on the possibilities of encrypted traffic analysis, especially on the accurate recognition of DoH. The aim is to evaluate what information (if any) can be gained from HTTPS extended IP flow data using machine learning. We evaluated five popular ML methods to find the best DoH classifiers. The experiments show that the accuracy of DoH recognition is over 99.9 %. Additionally, it is also possible to identify the application that was used for DoH communication, since we have discovered (using created datasets) significant differences in the behavior of Firefox, Chrome, and cloudflared. Our trained classifier can distinguish between DoH clients with the 99.9 % accuracy.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

—

Návaznosti

R - Projekt Ramcoveho programu EK

Rok uplatnění

2020

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

ARES &apos;20: Proceedings of the 15th International Conference on Availability, Reliability and Security

ISBN

978-1-4503-8833-7

ISSN

—

e-ISSN

—

Počet stran výsledku

8

Strana od-do

1-8

Název nakladatele

ACM

Místo vydání

New York, NY, USA

Místo konání akce

Dublin, Irsko

Datum konání akce

25. 8. 2020

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

—