Open AccessDNS Data Exfiltration Detection Using Online Planning for POMDP
Author(s) -
Yakov Bubnov
Publication year - 2019
Publication title -
european journal of engineering research and science
Language(s) - English
Resource type - Journals
ISSN - 2506-8016
DOI - 10.24018/ejers.2019.4.9.1500
Subject(s) - blocking (statistics) , computer science , partially observable markov decision process , computer network , process (computing) , distributed computing , data mining , markov chain , machine learning , markov model , operating system
This paper addresses a problem of blocking Domain Name System (DNS) exfiltration in a computer network. DNS exfiltration implies unauthorized transfer of sensitive data from the organization network to the remote adversary. Given detector of data exfiltration in DNS lookup queries this paper proposes an approach to automate query blocking decisions. More precisely, it defines an L-parametric Partially Observable Markov Decision Process (POMDP) formulation to enforce query blocking strategy on each network egress point, where L is a hyper-parameter that defines necessary level of the network security. The efficiency of the approach is based on (i) absence of interactions between distributed detectors, blocking decisions are taken individually by each detector; (ii) blocking strategy is applied to each particular query, therefore minimizing potentially incorrect blocking decisions.