Unsupervised SOM-Based Intrusion Detection System for DNS Tunneling Attacks

  • Júlio F. Luz UFPE / Tempest Security Intelligence
  • Paulo Freitas de Araujo-Filho UFPE
  • Henrique F. Arcoverde UFPE / Tempest Security Intelligence
  • Divanilson R. Campelo UFPE


Although the Domain Name System (DNS) is an essential protocol for Internet operation, it may also be used for malicious activities, such as data exfiltration, through the establishment of malicious DNS tunnels. In this paper, we propose an unsupervised intrusion detection system (IDS) for detecting malicious DNS tunneling activities by leveraging self-organizing maps (SOM). Our experimental results show that our proposed solution achieved an F1-score of 0.9460, outperforming similar existing techniques in publicly available datasets, and successfully detected attacks conducted in a corporate network.


Bubnov, Y. (2019). DNS Tunneling Queries for Binary Classification. Mendeley Data.

CAIDA (2021). The CAIDA UCSD IPv4 Routed /24 DNS Names Dataset. [link].

Campbell, A. J. and Zincir-Heywood, N. (2020). Exploring tunneling behaviours in malicious domains with self-organizing maps. In 2020 IEEE Symposium Series on Computational Intelligence (SSCI), pages 1419–1426.

Lambion, D., Josten, M., Olumofin, F., and De Cock, M. (2020). Malicious DNS Tunneling Detection in Real-Traffic DNS Data. In 2020 IEEE International Conference on Big Data (Big Data), pages 5736–5738.

Majestic (2023). Top 1 million websites in the world. [link].

Nguyen, T. Q., Laborde, R., Benzekri, A., and Qu’hen, B. (2020). Detecting abnormal dns traffic using unsupervised machine learning. In 2020 4th Cyber Security in Networking Conference (CSNet), pages 1–8.

PaloAlto (2021). Real-world Examples Of Emerging DNS Attacks and How We Must Adapt. [link].

Park, K. H., Song, H. M., Yoo, J. D., Hong, S.-Y., Cho, B., Kim, K., and Kim, H. K. (2022). Unsupervised Malicious Domain Detection with Less Labeling Effort. Comput. Secur., 116(C).

Tian, J., Azarian, M. H., and Pecht, M. G. (2014). Anomaly Detection Using Self-Organizing Maps-Based K-Nearest Neighbor Algorithm.

Wang, Y., Zhou, A., Liao, S., Zheng, R., Hu, R., and Zhang, L. (2021). A comprehensive survey on DNS tunnel detection. Computer Networks, 197:108322.
LUZ, Júlio F.; ARAUJO-FILHO, Paulo Freitas de; ARCOVERDE, Henrique F.; CAMPELO, Divanilson R.. Unsupervised SOM-Based Intrusion Detection System for DNS Tunneling Attacks. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 23. , 2023, Juiz de Fora/MG. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2023 . p. 516-521. DOI: https://doi.org/10.5753/sbseg.2023.233583.

Artigos mais lidos do(s) mesmo(s) autor(es)