Big Data Analysis Techniques for Network Traffic Monitoring: The Story of DNS over HTTPS Detection
Network monitoring plays a crucial role in the arsenal of tools used by network operators to ensure security. With the majority of network traffic now encrypted and the emergence of new protocols that extend encryption to previously unencrypted communications, traditional monitoring techniques that rely on the visibility of unencrypted network traffic have become obsolete. Consequently, solutions must now depend on the traffic metadata provided by widely used flow monitoring infrastructures. One of the protocols that get encrypted alternatives is DNS. DNS over HTTPS (DoH) is one of the attempts to encrypt DNS traffic that received broad adoption among users and resolvers. The~DoH implementation is already incorporated in most browsers, proxies, and operating systems. While DoH improves users' privacy, it leaves network operators and specialized Intrusion Detection Systems (IDS) blind to DNS traffic. Moreover, operators are unaware of DoH usage by users as DoH is designed to blend with other HTTPS traffic. Since its standardization in October 2018, the DoH has been studied extensively from various perspectives, including detection. This work proposes a reliable detection method using a combination of techniques, including machine learning, to identify DoH and distinguish it from regular HTTPS traffic, bringing awareness to network operators and allowing them to act according to their security policies. The work studies DoH thoroughly aligned with the data-centric concept of machine learning, enabling the creation of comprehensive datasets and designing effective practical detection mechanisms utilizing data sources of broadly present flow monitoring infrastructures. Moreover, the proposed detection method is tested in various scenarios, uncovering its characteristics and effectiveness compared with other state-of-the-art approaches.
DNS over HTTPS,Network Monitoring,Detection,Machine Learning, Data Centric Concept,Data Analysis,Cybersecurity