Information-Based Heavy Hitters for Real-Time DNS Data Exfiltration Detection and Prevention

TL;DR

This paper introduces a real-time, resource-efficient method called ibHH for detecting DNS data exfiltration by estimating transmitted information, enabling faster response and lower false positives compared to existing offline techniques.

Contribution

The paper presents ibHH, a novel real-time detection approach using information-based heavy hitters with constant memory and query time, suitable for deployment on DNS servers.

Findings

Successfully detects slow exfiltration rates as low as 0.7B/s.

Achieves false positive rates below 0.004.

Consumes significantly less resources than state-of-the-art methods.

Abstract

Data exfiltration over the DNS protocol and its detection have been researched extensively in recent years. Prior studies focused on offline detection methods, which although capable of detecting attacks, allow a large amount of data to be exfiltrated before the attack is detected and dealt with. In this paper, we introduce Information-based Heavy Hitters (ibHH), a real-time detection method which is based on live estimations of the amount of information transmitted to registered domains. ibHH uses constant-size memory and supports constant-time queries, which makes it suitable for deployment on recursive DNS servers to further reduce detection and response time. In our evaluation, we compared the performance of the proposed method to that of leading state-of-the-art DNS exfiltration detection methods on real-world datasets comprising over 250 billion DNS queries. The evaluation demonstrates ibHH's ability to successfully detect exfiltration rates as slow as 0.7B/s, with a false positive alert rate of less than 0.004, with significantly lower resource consumption compared to other methods.