We want to detect DNS tunneling while analyzing DNS Request properties.
we are looking for Phyton developer who has network experience. (DNS packet knowledge)
there will be 2 dataset consisting of pcap files traced DNS traffic. one dataset will be for training. training dataset will be accepted clean. and thresholds will be learned from that clean dataset. second datase will include all pcaps.
phyton code will open pcap and analyze DNS request and responses with parameters:
1- Number of DNS requests per hour from same client (Threshold: unknown)
2- Domain name created in 7 days. (threshold: 7 days)
3- IP address is malicious
4- Domain name is malicious
5- Domain name Entropy (Threshold: Unknown)
6- DNS Packet size (Threshold: 116 byte)
7- DNS Request record type (MX, TXT, Null)
8- Number of hostnames per domain (Threshold: unknown)
each parameter will has its own point between 0-100 (malicious IP address will have 0 or 100 only).
for example, points belong to Entropy of Domain name will increase as Entropy increased.
and each parameter will have a index. multiplication of index and point of parameter will give us last point.
all after that we will use Naive Bayes classification to detect tunneling traffic.