A Practical Machine Learning-Based Framework to Detect DNS Covert Communication in Enterprises.

DNS is a key protocol of the Internet infrastructure, which ensures network connectivity. However, DNS suffers from various threats. In particular, DNS covert communication is one serious threat in enterprise networks, by which attackers establish stealthy communications between internal hosts and remote servers. In this paper, we propose (DC2)-C-2 (Detection of DNS Covert Communication), a practical and flexible machine learning-based framework to detect DNS covert communications. (DC2)-C-2 is an end-to-end framework contains modular detection models including supervised and unsupervised ones, which detect multiple types of threats efficiently and flexibly. We have deployed (DC2)-C-2 in a large commercial bank with 100 millions of DNS queries per day. During the deployment, (DC2)-C-2 detected over 4k anomalous DNS communications per day, achieving high precision over 0.97 on average. It uncovers a significant number of unnoticed security issues including seven compromised hosts in the enterprise network.