Detecting Malicious DNS over HTTPs (DoH) Connections via Machine Learning Techniques

DoH is a modern protocol used as an alternative to the existing DNS protocol, which provides confidentiality and integrity to DNS functions by using protected channels. Since this kind of connection can pass through the current protection systems, it can be used for spreading malicious software. The...

Full description

Saved in:
Bibliographic Details
Published in:Maǧallaẗ al-abḥath al-handasiyyaẗ 2021-12
Main Authors: HARB, MHD RAJA ABOU, Ozekes, Serhat
Format: Article
Language:English
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:DoH is a modern protocol used as an alternative to the existing DNS protocol, which provides confidentiality and integrity to DNS functions by using protected channels. Since this kind of connection can pass through the current protection systems, it can be used for spreading malicious software. There is a need to find defense mechanisms that can detect and prevent these forms of malicious behaviors. In this study, we propose a method to classify malicious DoH connections using machine learning techniques, and we propose a feature selection process which reduced the number of used features till 27% of the total 33 features, and resulted improved the detection level of the malicious DoH connections. The study involves employing twelve different supervised machine learning classifiers, and the designed feature selection process used 8 different feature selection methods based on machine learning techniques for counting the importance of the features. The reached results were promising since the accuracy scores were about 100% in detecting malicious DoH connections.
ISSN:2307-1877
2307-1885
DOI:10.36909/jer.14175