Information Based Heavy Hitters for Real-Time DNS Data Exfiltration Detection
Yarin Ozery
Network and Distributed System Security (NDSS) Symposium 2024 · Day 2 · Network & DNS Security
Data exfiltration over the Domain Name System (DNS) protocol remains a persistent and significant cybersecurity threat. Malicious actors, ranging from state-sponsored groups to ransomware operators, frequently exploit DNS due to its ubiquitous nature, its often-unblocked status, and inadequate monitoring. They encode stolen data within DNS query names, types, or even manipulate query timings to establish covert communication channels. While extensive research has explored DNS exfiltration detection, a critical gap persists: the predominant focus has been on *offline* detection methods. These methods inherently allow a substantial amount of sensitive data to be exfiltrated before an attack is even identified, let alone mitigated, leading to severe consequences for organizations.