Deep Learning Based DNS Tunneling Detection and Blocking System

ALTUNCU M. A., Gulagiz F. K., ÖZCAN H., Bayir O. F., Gezgin A., Niyazov A., ...More

ADVANCES IN ELECTRICAL AND COMPUTER ENGINEERING, vol.21, no.3, pp.39-48, 2021 (SCI-Expanded) identifier identifier

  • Publication Type: Article / Article
  • Volume: 21 Issue: 3
  • Publication Date: 2021
  • Doi Number: 10.4316/aece.2021.03005
  • Journal Indexes: Science Citation Index Expanded (SCI-EXPANDED), Scopus, Aerospace Database, Communication Abstracts, INSPEC, Metadex, Directory of Open Access Journals
  • Page Numbers: pp.39-48
  • Keywords: artificial neural networks, computer networks, intrusion detection, Domain Name System, machine learning
  • Kocaeli University Affiliated: Yes


The main purpose of DNS is to convert domain names into IPs. Due to the inadequate precautions taken for the security of DNS, it is used for malicious communication or data leakage. Within the scope of this study, a real-time deep network-based system is proposed on live networks to prevent the common DNS tunneling threats over DNS. The decision-making capability of the proposed system at the instant of threat on a live system is the particular feature of the study. Networks trained with various deep network topologies by using the data from Alexa top 1 million sites were tested on a live network. The system was integrated to the network during the tests to prevent threats in real-time. The result of the tests reveal that the threats were blocked with success rate of 99.91%. Obtained results confirm that we can block almost all tunnel attacks over DNS protocol. In addition, the average time to block each tunneled package was calculated to be 0.923 ms. This time clearly demonstrates that the network flow will not be affected, and no delay will be experienced in the operation of our system in real-time.