KRTunnel: DNS channel detector for mobile devices

Nowadays, DNS channel attacks on mobile devices have become a challenging threat. Attackers usually attack mobile devices and steal information with the help of DNS channel. It is difficult for users to de-tect this kind of attack, especially when attackers covert sensitive information in the DNS response. In this paper, we proposed a method for DNS tunnel detection based on isolated forest for Android. We constructed a framework for mobile devices to collect DNS tunnel traffic. Based on the analysis of DNS tunnel traffic generated on mobile devices, we extracted features based on DNS request and response and constructed the feature set. We proposed a DNS tunnel detector, KRTunnel, for mobile devices. Experi-ments showed that KRTunnel can identify unseen DNS tunnel traffic with the accuracy of 98.1%.(c) 2022 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license ( http://creativecommons.org/licenses/by/4.0/ )