Mémoire
| Résumé : | IT security remains a major challenge in the face of constantly evolving online threats. One of the most problematic and often underestimated is the malicious use of the DNS (Domain Name System) protocol, a fundamental pillar of the Internet. Although the DNS protocol is essential to online navigation, translating domain names into IP addresses, it is often overlooked by security systems because it is generally considered to be harmless.However, a few years after the concept of DNS tunneling came to light in 1998, enabling information to be conveyed via the DNS protocol for potentially malicious purposes, researchers have turned their attention to the detection of such malicious behavior and most recently, in the context of the DNS-over-HTTPS (DoH) protocol. This protocol, while enhancing security and confidentiality by encrypting DNS traffic, raises major concerns about the means of detecting its malicious use.This master thesis focuses on the development of an automated detection method based on machine learning and flow-based feature extraction, aimed at distinguishing malicious behavior, such as Command and Control (C&C) and data exfiltration, through the DoH tunnel. We examine the feasibility of this approach by considering scenarios where malicious traffic is already identified from normal DoH traffic. The classification models used are: Logistic Regression, Support Vector Machine (SVM), Naive Bayes and Decision Tree.Analysis of the results shows that it is indeed possible to classify the two malicious behaviors of Command and Control (C&C) and data exfiltration with an accuracy of 98.4% with the Logistic Regression and SVM models even if attackers try to "hide" using non-default parameters.Finally, prospects for improvement were proposed in order to identify possible innovations. |
