Abstract—A covert channel is an information channel which is used by computer process to exfiltrate data through bypassing security policies. The domain name system (DNS) protocol is one of the important ways to implement a covert channel. DNS covert channels are easily used by attackers for malicious purposes. Therefore, an effective detection of the DNS covert channels is significant for computer system and network security. Aiming at the difficulty of the DNS covert channel identification, we propose a DNS covert channel detection method based on stacking model. The stacking model is evaluated in a campus network and the experimental results show that the detection based on the stacking model can detect the DNS covert channels effectively. Besides, it can also identify unknown covert channel traffic. The area under the curve (AUC) of the proposed method, reaching 0.9901, outperforms the existed methods.

Index Terms—Covert channel, DNS, stacking model.

Peng Yang, Xinxin Wan, Guang Shi are with National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China. Hao Qu is with Heilongjiang Branch of National Computer Network Emergency Response Technical Team/Coordination Center of China Harbin, China. Juan Li is with Institute of Information Engineering, Chinese Academy of Sciences, Beijing 150000, China. Lixin Yang is with Heilongjiang Preschool Education College Mudanjiang 157000, China.

Cite:Peng Yang, Xinxin Wan, Guang Shi, Hao Qu, Juan Li, Lixin Yang, "Identification of DNS Covert Channel Based on Stacking Method," International Journal of Computer and Communication Engineering vol. 10, no. 2, pp. 37-51, 2021.

Copyright © 2021 by the authors. This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).