Skip to main content
SpringerLink
Log in

The Use of Beacon Signals to Detect Covert Channels in DNS Traffic

  • Published:
Automatic Control and Computer Sciences Aims and scope Submit manuscript

Abstract

An approach to detect covert channels (C2-channels) based on the DNS protocol is considered. It involves identifying beacon signals or certain traffic signatures, which, in turn, are indicative of malware activity. An analysis of samples of real DNS traffic is carried out followed by approximation using a known statistical distribution. The time parameters of beacon signals sent at different frequencies are modeled and the optimal (according to the Neumann–Pearson criterion) detection threshold is determined. This threshold minimizes the probability to detect a false beacon signal. The results allow improving preliminary configuration of intrusion detection systems operating on a statistical approach to analyze network traffic parameters.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.
Fig. 10.

Similar content being viewed by others

REFERENCES

  1. Jeun, I., Lee, Y., and Won, D., A practical study on advanced persistent threats, Computer Applications for Security, Control and System Engineering, Kim, T., Stoica, A., Fang, W., Vasilakos, T., Villalba, J.G., Arnett, K.P., Khan, M.K., and Kang, B.-H., Eds., Communications in Computer and Information Science, vol. 339, Berlin: Springer, 2012, pp. 144–152.  https://doi.org/10.1007/978-3-642-35264-5_21

  2. Stepanova, T., Pechenkin, A., and Lavrova, D., Ontology-based big data approach to automated penetration testing of large-scale heterogeneous systems, Proc. 8th Int. Conf. on Security of Information and Networks, Sochi, Russia, 2015, New York: Association for Computing Machinery, 2015, pp. 142–149.  https://doi.org/10.1145/2799979.2799995

  3. Pavlenko, E.Yu., Yarmak, A.V., and Moskvin, D.A., Hierarchical approach to analyzing security breaches in information systems, Autom. Control Comput. Sci., 2017, vol. 51, no. 8, pp. 829–834.  https://doi.org/10.3103/S0146411617080144

    Article  Google Scholar 

  4. Zegzhda, D.P. and Stepanova, T.V., Approach to APCS protection from cyber threats, Autom. Control Comput. Sci., 2015, vol. 49, no. 8, pp. 659–664.  https://doi.org/10.3103/S0146411615080179

    Article  Google Scholar 

  5. Zegzhda, D., Zegzhda, P., Pechenkin, A., and Poltavtseva, M., Modeling of information systems to their security evaluation, Proc. 10th Int. Conf. on Security of Information and Networks, Jaipur, India, 2017, New York: Association for Computing Machinery, 2017, pp. 295–298.  https://doi.org/10.1145/3136825.3136857

  6. Zegzhda, P., Zegzhda, D., Pavlenko, E., and Ignatev, G., Applying deep learning techniques for Android malware detection, Proc. 11th Int. Conf. on Security of Information and Networks, Cardiff, UK, 2018, New York: Association for Computing Machinery, 2018, p. 7.  https://doi.org/10.1145/3264437.3264476

  7. Lampson, B.W., A note on the confinement problem, Commun. ACM, 1973, vol. 16, no. 10, pp. 613–615. https://doi.org/10.1145/362375.362389

    Article  Google Scholar 

  8. Timonina, E.E., Analysis of threats of covert channels and methods for constructing the guaranteed protected distributed automated systems, Dr. Sci. (Eng.) Dissertation, Moscow: Russ. State Univ. for the Humanities, 2004.

  9. Grusho, A.A., Grusho, N.A., and Timonina, E.E., The analysis of tags in covert channels, Inf. Ee Primen., 2014, vol. 8, no. 4, pp. 41–45.  https://doi.org/10.14357/19922264140405

    Article  MATH  Google Scholar 

  10. MITRE ATT&CK(tm) is a curated knowledge base and model for cyber adversary behavior…. https://attack.mitre.org/techniques/T1071/.

  11. MAWI Working group traffic archive. http://mawi.wide.ad.jp/mawi/. Cited February 17, 2020.

  12. Stepanov, S.N., Teoriya teletrafika. Kontseptsii, modeli, prilozheniya (Theory of Teletraffic: Concepts, Models, Applications), Moscow: Goryachaya Liniya-Telekom, 2015.

  13. Kondratenkov, G.S. and Frolov, A.Yu., Radiovidenie. Radiolokatsionnye sistemy distantsionnogo zondirovaniya Zemli (Radiovision: Radar Systems of Earth’s Remote Sensing), Moscow: Radiotekhnika, 2005.

Download references

Author information

Authors and Affiliations

  1. MIREA—Russian Technological University, 119454, Moscow, Russia

    M. A. Eremeev & V. S. Nefedov

  2. Central Research Institute 18, Ministry of Defense of the Russian Federation, 111123, Moscow, Russia

    A. S. Ostrovskii & D. A. Semchenkov

Authors
  1. M. A. Eremeev
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. V. S. Nefedov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. A. S. Ostrovskii
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. D. A. Semchenkov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to M. A. Eremeev or V. S. Nefedov.

Ethics declarations

The authors declare that they have no conflicts of interest.

Additional information

Translated by V. Vetrov

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Eremeev, M.A., Nefedov, V.S., Ostrovskii, A.S. et al. The Use of Beacon Signals to Detect Covert Channels in DNS Traffic. Aut. Control Comp. Sci. 55, 962–969 (2021). https://doi.org/10.3103/S0146411621080095

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.3103/S0146411621080095

Keywords:

Search

Navigation