DNS Data Exfiltration Detection Using Online Planning for POMDP


  •   Yakov Bubnov


This paper addresses a problem of blocking Domain Name System (DNS) exfiltration in a computer network. DNS exfiltration implies unauthorized transfer of sensitive data from the organization network to the remote adversary. Given detector of data exfiltration in DNS lookup queries this paper proposes an approach to automate query blocking decisions. More precisely, it defines an L-parametric Partially Observable Markov Decision Process (POMDP) formulation to enforce query blocking strategy on each network egress point, where L is a hyper-parameter that defines necessary level of the network security. The efficiency of the approach is based on (i) absence of interactions between distributed detectors, blocking decisions are taken individually by each detector; (ii) blocking strategy is applied to each particular query, therefore minimizing potentially incorrect blocking decisions.

Keywords: Data Exfiltration, Domain Name System, POMDP, Tunneling Detection


P. Kerr, J. Rollins, C. Theohary, The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability, Washington D.C.: Library of Congress. Congressional Research Service, 2010, pp. 2-3.

H. Binsalleeh and A. Youssef, “An implementation for a worm detection and mitigating system”, presented at the 24th Biennial Symposium on Communications, Kingston, Canada, June 24-26, 2008.

D. Bolzoni and S. Etalle, “Approaches in Anomaly-based Network Intrusion Detection Systems” in Intrusion Detection Systems, R. Di Pierto, L. Mancini, NY: Springer, 2008, pp. 1-15.

X. Zhong, Y. Fu, L. Yu, R. Brooks, K. Venayagamoorthy, “Stealthy Malware Traffic - Not as Innocent as It Looks” in Malicious and Unwanted Software (MALWARE), 2015, pp. 110-116.

C. Deitrich, C. Rossow, F. Freiling, H. Boss, M. van Steen, N. Pohlman, “Botnets that use DNS for Command and Control”, Gelsenkirchen, Institute of Internet Security, 2011.

C. Qi, X. Chen, J. Shi, P. Liu, “A Bigram Based Real Time DNS Tunnel Detection Approach” in Information Technology and Quantitative Management, 2013, pp. 852-860.

B. Yu, L. Smith, M. Threefoot, F. Olumofin, “Behavioral Analysis based DNS Tunneling Detection and Classification with Big Data Technologies” in Proceeding of the International Conference of Internet of Things and Big Data, 2016, pp. 284-290.

I. Valenzuela, “Game Changer: Identifying and Defending Against Data Exfiltration Attempts”, Boston, MA: SANS Institute, 2015.

A. Nadler, A. Aminov, A. Shabtai, “Detection of Malicious and Low Throughput Data Exfiltration over the DNS protocol”, Negev, Ben Gurion University of Negev, 2017.

A. Almusawi, H. Amintoosi, “DNS Tunneling Detection Method Based on Multilabel Support Vector Machine”, Security and Communication Networks, vol. 2018, Jan. 2018.

S. Mc Carthy, A. Sinha, M. Tambe, P. Manadhata, “Data Exfiltration Detection and Prevention: Virtually Distributed POMPDs for Practically Safer Networks”, GameSec 2016, LNCS 9996, pp. 39-61, 2016.

Y. Bubnov, “DNS Tunneling Detection Using Feedforward Neural Network”, European Journal of Engineering Research and Science, vol. 3, no. 11, pp. 16-19, Nov. 2018.

D. Silver, J. Veness, “Monte-Carlo Planning in Large POMDPs”, Advances in Neural Information Processing Systems (NIPS), vol. 23, 2010.


Download data is not yet available.


How to Cite
Bubnov, Y. 2019. DNS Data Exfiltration Detection Using Online Planning for POMDP. European Journal of Engineering Research and Science. 4, 9 (Sep. 2019), 22-25. DOI:https://doi.org/10.24018/ejers.2019.4.9.1500.