An ensemble framework for detection of DNS-Over-HTTPS (DOH) traffic
Multimedia Tools and Applications
Domain Name System (DNS) is a fundamental protocol and backbone of the internet that translates domain names to Internet Protocol (IP) addresses. Initially, it was only meant for mapping domain names, however, currently it is used to transfer data over the internet in the form of plain text. This attracts attackers to perform cyberattacks such as DNS spoofing, DNS amplification, and cache poisoning etc. Various solutions were proposed to protect DNS protocol from such attacks such as using DNS load balancers, OpenDNS by Cisco, DNSFilters etc. However, despite these security measures, the attackers can still easily modify the data packets over the network leading to security and privacy concerns. DNS-Over-HTTPS (DOH) is recently introduced protocol with encrypted DNS that defends against issues related to security and eavesdropping largely. However, some challenges are associated with it that need to be addressed for its proper functioning. In this work, an approach is presented to automatically detect DOH traffic using Ensemble-based machine learning framework. The proposed technique is tested on the CIRA-CIC-DoHBrw-2020 dataset and evaluated on classification metrics such as precision, recall, f-score, and confusion metrics. Further, to develop a reliable model that can detect anomalies efficiently, a detailed analysis of false positives and false negatives is done. The demonstrated results show that the presented ensembling techniques EL1 and EL2 outperform the existing approaches by achieving an overall accuracy score of 99.5% and 99.7% respectively and F-score of about 99.8% and 99.7% respectively.
Open Access Status
This publication is not available as open access