Denis Petrov - Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences
Ort :±«²Ô¾±±¹±ð°ù²õ¾±³Ùä³Ù Ulm, 026-5009The usage of covert channels and tunneling techniques has increasingly become part of the current malware landscape. While malware research has worked on new methods for their detection, none of these are based solely on the inherent DNS tunneling traffic. Domainator is an approach to evaluate state-of-the-art malware and DNS tunneling tools by analyzing the sequential patterns within the traffic flow. We consider 7 real-world malware samples and open-source tools and attempt to detect and identify the malware based on the generated traffic. Furthermore, we infer the rough behavior of the malware using the same features.