Describes an architecture for DNS Tunneling detection at AWS cloud envirement, using ELK.
- Modules for collecting DNS logs:
- from AWS VPC flows -> Filebeat (ELK beat)
- from AWS Route 53 flows -> Filebeat (ELK beat)
- from DNS resolver (EC2 instance) on private subnetwork -> Packetbeat (ELK beat)
- Machine Learning Model:
- Features analysis and extraction for Machine Learning (ML) jobs;
- Definition of relevant influencer fields and detectors;
- ML model for anomaly detection -> Population Analysis Elastic ML Model
- DNS tunneling tools tests:
- Iodine
- Dnscat2
- DNSExfiltrator
- DNSStager
- Flighsim
- Experiments Results and accurancy
This project and respective improvemments were published on:
English -> "A security model for DNS tunnel detection on cloud platform" https://ieeexplore.ieee.org/abstract/document/9969715
Portuguese -> "IDENTIFICAÇÃO DE TÚNEIS DNS EM NUVEM COMPUTACIONAL USANDO DETECÇÃO DE ANOMALIAS" https://ciaca-conf.org/wp-content/uploads/2022/11/4_CIACA2022_PT_F_068.pdf
Revista RISTI -> "Tunelamento DNS: metodologia de detecção para ambiente em nuvem computacional" https://www.risti.xyz/issues/ristie57.pdf