Unveiling DoH tunnel: Toward generating a balanced DoH encrypted traffic dataset and profiling malicious behavior using inherently interpretable machine learning

Encrypted domain name resolution can reduce the risk of privacy leakage for Internet users. However, it may also prevent network administrators from detecting suspicious communications. Profiling malicious and benign DNS-over-HTTPS (DoH) traffic can provide deeper insights into their behaviors, improving user activity identification and characterization. In this research, we proposed a new behavioral profiling model by selecting a method with high performance that is inherently interpretable. The inherently interpretable methods, including Linear Regression, Decision Trees (DT), and Random Forest (RF), were analyzed for understanding and providing more meaningful behavioral profiles. Based on the analysis, DT was selected to profile the malicious and benign behavior. To reduce the computational cost, improve the model performance and interpretability, and prevent overfitting issues, we introduced a novel feature engineering technique based on mutual information and the correlation coefficient between features to identify the best feature set for behavioral profiling. We also generated a public balanced dataset for analyzing the performance of the proposed profiling model, 'BCCC-CIRA-CIC-DoHBrw-2020'. This dataset is based on 'CIRA-CIC-DoHBrw-2020' which is a publicly available dataset. We utilized the SMOTE data balancing technique to generate the mentioned dataset. The experimental results showed an accuracy of 93.93% and 94.86% for the created malicious and benign profiles, respectively.