Downloads: 3
Research Paper | Computer Engineering | Volume 10 Issue 6, June 2021 | Pages: 1888 - 1891 | India
A Lightweight Entropy - Rate Framework for DNS Tunneling Detection in Institutional Networks
Abstract: Domain Name System (DNS) is widely permitted through firewalls, making it a preferred channel for covert communication such as DNS tunneling. DNS tunneling enables attackers to exfiltrate data and establish command-and-control channels by embedding payloads into DNS queries and responses. Conventional detection methods often require deep packet inspection, heavy machine learning models, or large labelled datasets, limiting their applicability in resource-constrained institutional networks. This paper proposes a lightweight entropy?rate detection framework for identifying DNS tunneling behavior using short-term statistical indicators. The method computes query-string entropy, query-length deviation, unique domain ratio, NXDOMAIN ratio, and per-host query-rate anomalies within sliding time windows. These indicators are fused into a transparent anomaly score to detect both high-volume and stealthy tunneling attempts. The proposed approach is computationally efficient, explainable, and suitable for real-time deployment at campus gateways. Experimental evaluation demonstrates high detection accuracy with low false positives under mixed legitimate and malicious DNS traffic.
Keywords: DNS security, DNS tunneling, entropy analysis, query-rate deviation, anomaly detection, lightweight IDS
How to Cite?: Santhosh K. M., "A Lightweight Entropy - Rate Framework for DNS Tunneling Detection in Institutional Networks", Volume 10 Issue 6, June 2021, International Journal of Science and Research (IJSR), Pages: 1888-1891, https://www.ijsr.net/getabstract.php?paperid=SR21617173026, DOI: https://dx.dx.doi.org/10.21275/SR21617173026