Network Flow Entropy for Identifying Malicious Behaviours in DNS Tunnels

In this paper, we propose the concept of "entropy of a flow" to augment flow statistical features for identifying malicious behaviours in DNS tunnels, specifically DNS over HTTPS traffic. In order to achieve this, we explore the use of three flow exporters, namely Argus, DoHlyzer and Tranalyzer2 to extract flow statistical features. We then augment these features using different ways of calculating the entropy of a flow. To this end, we investigate three entropy calculation approaches: Entropy over all packets of a flow, Entropy over the first 96 bytes of a flow, and Entropy over the first n-packets of a flow. We evaluate five machine learning classifiers, namely Decision Tree, Random Forest, Logistic Regression, Support Vector Machine and Naive Bayes using these features in order to identify malicious behaviours in different publicly available datasets. The evaluations show that the Decision Tree classifier achieves an F-measure of 99.7% when flow statistical features are augmented with entropy of a flow calculated over the first 4 packets.