University of Twente Student Theses


Detection of DoH tunnelling : comparing supervised with unsupervised learning

Vries, L.J.W. de (2021) Detection of DoH tunnelling : comparing supervised with unsupervised learning.

[img] PDF
Abstract:DNS over HTTPS (DoH) makes browsing the internet more secure and increases the privacy of users. However, DoH makes it harder for network administrators to keep their networks secure. DoH can be misused for malicious purposes such as tunnelling. The problem is that DoH traffic blends in with other HTTPS traffic, thus, it is hard to detect. In this thesis, a closer look is taken at the features that can be used to distinguish DoH network traffic from non-DoH traffic and to distinguishing benign from malicious DoH. Analysis of features that are useful to detecting DoH traffic resulted in a list of interesting features including flow duration and packet length related features Furthermore, supervised and unsupervised learning methods are applied to two datasets containing DoH and non-DoH network traffic. Whereas previous work relied on supervised learning which requires labelled data, which is hard to come by, this thesis applied unsupervised learning. Applying unsupervised learning methods resulted in an accuracy of roughly one to ten percent lower compared to supervised learning methods. These results prove the value of unsupervised learning for the detection of DoH traffic and can help system administrators lacking sufficient labelled data increasing the security of their networks.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page