DNS Tunnel Detection Scheme Based on Machine Learning in Campus Network

DNS tunnel is a type of tunnel technique based on DNS protocol. It is usually used to establish C&C channel between the controlled host and master server in botnet by cybercriminals. This paper proposes a novel system to detect DNS tunnel intelligently. We first analyze domain characteristics from three aspects: payload-based features, traffic-based features, and resolution-based features, and then extract the representative features from the raw DNS servers in a real-world educational network. Finally, a fusion RF-LR model is proposed to classify the DNS tunnel, which first uses random forest as base learner and then takes leafnodes of each decision tree as input attributes of the logistic regression process. The experimental results demonstrate that our model is superior to other algorithms in terms of accuracy, recall and stability.