Enriching DNS Flows with Host-Based Events to Bypass Future
Protocol Encryption

D 2021

Enriching DNS Flows with Host-Based Events to Bypass Future Protocol Encryption

ŠPAČEK, Stanislav; Daniel TOVARŇÁK a Pavel ČELEDA

Základní údaje

Originální název

Enriching DNS Flows with Host-Based Events to Bypass Future Protocol Encryption

Autoři

ŠPAČEK, Stanislav; Daniel TOVARŇÁK a Pavel ČELEDA

Vydání

1. vyd. Oslo, ICT Systems Security and Privacy Protection, od s. 302-316, 15 s. 2021

Nakladatel

Springer

Další údaje

Jazyk

angličtina

Typ výsledku

Stať ve sborníku

Obor

10200 1.2 Computer and information sciences

Stát vydavatele

Spojené státy

Utajení

není předmětem státního či obchodního tajemství

Forma vydání

tištěná verze "print"

Odkazy

URL

Označené pro přenos do RIV

Ano

Kód RIV

RIV/00216224:14610/21:00121835

Organizační jednotka

Ústav výpočetní techniky

ISBN

978-3-030-78119-4

ISSN

Klíčová slova anglicky

DNS; NIDS; HIDS; Encrypted network traffic; Event-flow correlation

Štítky

core_B, firank_B, rivok

Příznaky

Mezinárodní význam, Recenzováno

Změněno: 4. 6. 2026 12:55, Mgr. Petra Trembecká, Ph.D.

Anotace

V originále

Monitoring of host-based events and network flows are the two most common techniques for collecting and analyzing cybersecurity data. However, events and flows are either monitored separately or correlated as alerts in higher aggregated forms. The event-flow correlation on the monitoring level would match related events and flows together and enabled observing both data in near real-time. This approach allows substituting application-level flow information that will not be available due to encryption, which is being employed in a number of communication protocols. In this paper, we performed the event-flow correlation of the DNS protocol. We developed a general model that describes the relation between events and flows to enable an accurate time-based correlation where parameter-based correlation is not feasible. Based on the model, we designed three event-flow correlation methods based on common parameters and times of occurrence. We evaluated the correlation methods using a recent and public dataset, both with and without the extended flow information, to simulate DNS flow encryption. The results of the method combining parameter-based and time-based matching show that matching related DNS events to flows is possible and substitutes the data that might soon be lost in encryption.

Návaznosti

MUNI/A/1527/2020, interní kód MU

Název: Aplikovaný výzkum na FI: softwarové architektury kritických infrastruktur, bezpečnost počítačových systémů a zpracování senzorových dat (Akronym: SVFI-SSS)

Investor: Masarykova univerzita, Aplikovaný výzkum na FI: softwarové architektury kritických infrastruktur, bezpečnost počítačových systémů a zpracování senzorových dat

830927, interní kód MU

Název: Cyber security cOmpeteNce fOr Research anD Innovation (Akronym: CONCORDIA)

Investor: Evropská unie, Cyber security cOmpeteNce fOr Research anD Innovation, Leadership in enabling and industrial technologies (LEIT) (Industrial Leadership)

Přiložené soubory

2021-SEC-Enriching-DNS-Flows_with-Host-Based-Events.pdf Verze souboru

2021-SEC-Enriching-DNS-Flows_with-Host-Based-Events-presentation.pdf Verze souboru

Citovat

ŠPAČEK, Stanislav; Daniel TOVARŇÁK a Pavel ČELEDA. Enriching DNS Flows with Host-Based Events to Bypass Future Protocol Encryption. In Audun Jøsang, Lynn Futcher, Janne Hagen. ICT Systems Security and Privacy Protection. 1. vyd. Oslo: Springer, 2021, s. 302-316. ISBN 978-3-030-78119-4. Dostupné z: https://doi.org/10.1007/978-3-030-78120-0_20.

@inproceedings{1778298,
   author = {Špaček, Stanislav and Tovarňák, Daniel and Čeleda, Pavel},
   address = {Oslo},
   booktitle = {ICT Systems Security and Privacy Protection},
   doi = {https://doi.org/10.1007/978-3-030-78120-0_20},
   edition = {1},
   editor = {Audun Jøsang, Lynn Futcher, Janne Hagen},
   keywords = {DNS; NIDS; HIDS; Encrypted network traffic; Event-flow correlation},
   howpublished = {tištěná verze "print"},
   language = {eng},
   location = {Oslo},
   isbn = {978-3-030-78119-4},
   pages = {302-316},
   publisher = {Springer},
   title = {Enriching DNS Flows with Host-Based Events to Bypass Future Protocol Encryption},
   url = {https://doi.org/10.1007/978-3-030-78120-0_20},
   year = {2021}
}

TY  - CONF
ID  - 1778298
AU  - Špaček, Stanislav - Tovarňák, Daniel - Čeleda, Pavel
PY  - 2021
TI  - Enriching DNS Flows with Host-Based Events to Bypass Future Protocol Encryption
PB  - Springer
CY  - Oslo
SN  - 9783030781194
KW  - DNS
KW  - NIDS
KW  - HIDS
KW  - Encrypted network traffic
KW  - Event-flow correlation
UR  - https://doi.org/10.1007/978-3-030-78120-0_20
N2  - Monitoring of host-based events and network flows are the two most common techniques for collecting and analyzing cybersecurity data. However, events and flows are either monitored separately or correlated as alerts in higher aggregated forms. The event-flow correlation on the monitoring level would match related events and flows together and enabled observing both data in near real-time. This approach allows substituting application-level flow information that will not be available due to encryption, which is being employed in a number of communication protocols. In this paper, we performed the event-flow correlation of the DNS protocol. We developed a general model that describes the relation between events and flows to enable an accurate time-based correlation where parameter-based correlation is not feasible. Based on the model, we designed three event-flow correlation methods based on common parameters and times of occurrence. We evaluated the correlation methods using a recent and public dataset, both with and without the extended flow information, to simulate DNS flow encryption. The results of the method combining parameter-based and time-based matching show that matching related DNS events to flows is possible and substitutes the data that might soon be lost in encryption.
ER  -

ŠPAČEK, Stanislav; Daniel TOVARŇÁK a Pavel ČELEDA. Enriching DNS Flows with Host-Based Events to Bypass Future Protocol Encryption. In Audun Jøsang, Lynn Futcher, Janne Hagen. \textit{ICT Systems Security and Privacy Protection}. 1. vyd. Oslo: Springer, 2021, s.~302-316. ISBN~978-3-030-78119-4. Dostupné z: https://doi.org/10.1007/978-3-030-78120-0\_{}20.

Přehled o publikaci