Detection, characterization, and profiling DoH Malicious traffic using statistical pattern recognition

The domain name system (DNS) protocol has been used for over three decades. It plays a vital role in the functioning of the Internet by facilitating the conversion of domain names into IP addresses. However, DNS is an early and vulnerable network protocol that attackers frequently target due to its numerous security flaws. To address these security concerns, several improvements have been introduced over time. The most recent enhancement is DNS over HTTPS (DoH), which aims to enhance user privacy and security by safeguarding DNS requests and responses from eavesdropping and data manipulation. Nevertheless, DoH encounters several security and privacy issues, such as encrypted traffic hindering network administrators from inspecting DNS packets for Malicious activity. Consequently, this raises concerns regarding potential security breaches and increased risk. Identification and characterizing Malicious behavior of DoH network traffic helps mitigate these threats. To tackle these issues, this research proposes two statistical pattern recognition models based on logistic and linear regression. These proposed models aim to identify the profile of Malicious DoH network traffic behavior by recognizing data patterns. In this order, we proposed two models consisting of two primary stages: data preprocessing, which involves data preparation and the selection of optimal feature sets, and pattern recognition, in which the most suitable pattern is selected and used for data classification. We also presented the obtained Malicious DoH profile utilizing the correlation coefficients between the features. To assess the effectiveness of the proposed approaches, the CIRA-CIC-DoHBrw-2020 dataset is utilized, and a comparison is made against state-of-the-art machine learning and deep learning models. Experimental results indicate that the logistic regression-based model outperformed linear regression-based. Moreover, while the outcomes indicated that the effectiveness of the linear and logistic regression-derived models was lower than particular machine learning and deep learning models, our models employed a smaller set of features than earlier research endeavors. Furthermore, our proposed models offer several advantages over previous models, including low computational complexity, simple implementation, robustness to noise, and reduced data requirements This study is the first to use basic statistical models (linear and logistic regression) to profile Malicious behavior in DoH network traffic.