Detecting Malicious DNS over HTTPs (DoH) Connections via Machine Learning Techniques


Harb M. R. A., Özekes S.

JOURNAL OF ENGINEERING RESEARCH, cilt.1, ss.1-17, 2021 (SCI-Expanded)

  • Yayın Türü: Makale / Tam Makale
  • Cilt numarası: 1
  • Basım Tarihi: 2021
  • Doi Numarası: 10.36909/jer.14175
  • Dergi Adı: JOURNAL OF ENGINEERING RESEARCH
  • Derginin Tarandığı İndeksler: Science Citation Index Expanded (SCI-EXPANDED), Scopus, Academic Search Premier, Arab World Research Source, Directory of Open Access Journals
  • Sayfa Sayıları: ss.1-17
  • Marmara Üniversitesi Adresli: Hayır

Özet

DoH is a modern protocol used as an alternative to the existing DNS protocol, which provides confidentiality and integrity to DNS functions by using protected channels. Since this kind of connection can pass through the current protection systems, it can be used for spreading malicious software. There is a need to find defense mechanisms that can detect and prevent these forms of malicious behaviors. In this study, we propose a method to classify malicious DoH connections using machine learning techniques, and we propose a feature selection process which reduced the number of used features till 27% of the total 33 features, and resulted improved the detection level of the malicious DoH connections. The study involves employing twelve different supervised machine learning classifiers, and the designed feature selection process used 8 different feature selection methods based on machine learning techniques for counting the importance of the features. The reached results were promising since the accuracy scores were about 100% in detecting malicious DoH connections.