{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,5]],"date-time":"2025-12-05T12:31:54Z","timestamp":1764937914834,"version":"3.44.0"},"publisher-location":"Cham","reference-count":30,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783032006233"},{"type":"electronic","value":"9783032006240"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,8,10]],"date-time":"2025-08-10T00:00:00Z","timestamp":1754784000000},"content-version":"vor","delay-in-days":221,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>For a few years, malware with tunneling (or: covert channel) capabilities has been on the rise. While malware research led to several methods and innovations, the detection and <jats:italic>differentiation<\/jats:italic> of malware solely based on its DNS tunneling features is still in its infancy. Moreover, no work so far has used the DNS tunneling traffic to gain knowledge over the current <jats:italic>actions<\/jats:italic> taken by the malware.<\/jats:p>\n          <jats:p>In this paper, we present , an approach to detect and differentiate state-of-the-art malware and DNS tunneling tools without relying on trivial (but quickly altered) features such as \u201cmagic bytes\u201d that are embedded into subdomains. Instead, we apply an analysis of sequential patterns to identify specific types of malware. We evaluate our approach with 7 real-world malware samples and tunneling tools and can identify the particular malware based on its DNS traffic. We further infer the rough <jats:italic>behavior<\/jats:italic> of the particular malware through its DNS tunneling artifacts. Finally, we compare our  with related methods.\n<\/jats:p>","DOI":"10.1007\/978-3-032-00624-0_6","type":"book-chapter","created":{"date-parts":[[2025,8,9]],"date-time":"2025-08-09T11:42:14Z","timestamp":1754739734000},"page":"118-140","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Domainator: Detecting and\u00a0Identifying DNS-Tunneling Malware Using Metadata Sequences"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-7131-6844","authenticated-orcid":false,"given":"Denis","family":"Petrov","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-3540-983X","authenticated-orcid":false,"given":"Pascal","family":"Ruffing","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3360-1251","authenticated-orcid":false,"given":"Sebastian","family":"Zillien","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1913-5912","authenticated-orcid":false,"given":"Steffen","family":"Wendzel","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2025,8,10]]},"reference":[{"key":"6_CR1","doi-asserted-by":"crossref","unstructured":"Alkasassbeh, M., Almseidin, M.: Machine learning techniques for accurately detecting the DNS tunneling. In: Intelligent Comput. Springer (2023)","DOI":"10.1007\/978-3-031-37717-4_24"},{"key":"6_CR2","doi-asserted-by":"publisher","DOI":"10.1016\/j.sigpro.2025.109888","volume":"231","author":"LT Badar","year":"2025","unstructured":"Badar, L.T., Carminati, B., Ferrari, E.: A comprehensive survey on stegomalware detection in digital media, research challenges and future directions. Signal Process. 231, 109888 (2025)","journal-title":"Signal Process."},{"key":"6_CR3","unstructured":"Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis. arXiv, cs.CR(1004.4358) (2010)"},{"key":"6_CR4","doi-asserted-by":"crossref","unstructured":"Buczak, A.L., Hanke, P.A., Cancro, G.J., Toma, M.K., Watkins, L.A., Chavis, J.S.: Detection of tunnels in PCAP data by random forests. In: Proceedings of the Annual Cyber and Information Security Research Conference (CISRC \u201916\u2019). ACM (2016)","DOI":"10.1145\/2897795.2897804"},{"issue":"5","key":"6_CR5","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1109\/MSEC.2022.3178205","volume":"20","author":"L Caviglione","year":"2022","unstructured":"Caviglione, L., Mazurczyk, W.: Never mind the malware, here\u2019s the stegomalware. IEEE Secur. Priv. 20(5), 101\u2013106 (2022)","journal-title":"IEEE Secur. Priv."},{"issue":"5","key":"6_CR6","doi-asserted-by":"publisher","first-page":"823","DOI":"10.1109\/TKDE.2010.235","volume":"24","author":"V Chandola","year":"2012","unstructured":"Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection for discrete sequences: a survey. IEEE Trans. Knowl. Data Engin. 24(5), 823\u2013839 (2012)","journal-title":"IEEE Trans. Knowl. Data Engin."},{"key":"6_CR7","doi-asserted-by":"crossref","unstructured":"Dittmann, J., Kraetzer, C., Alemann, J., Birnbaum, B.: Forensic trace analysis for MP3 based stego-malware: exemplary study for stego-algorithm and capacity attribution to derive YARA rules for malware identification. In: Proceedings of the IHMMSec, pp. 101\u2013112. ACM (2024)","DOI":"10.1145\/3658664.3659641"},{"key":"6_CR8","unstructured":"E. Ekman & Iodine Contrib. iodine (2024). https:\/\/github.com\/yarrick\/iodine"},{"key":"6_CR9","unstructured":"Fox-IT. Saitama C2 Server (2024). https:\/\/github.com\/fox-it\/saitama-server"},{"key":"6_CR10","doi-asserted-by":"crossref","unstructured":"Gao, G., et al.: GraphTunnel: robust DNS tunnel detection based on DNS recursive resolution graph. IEEE Trans. Inf. Forens. Secur. (2024)","DOI":"10.1109\/TIFS.2024.3443596"},{"key":"6_CR11","unstructured":"Ironnet. The siren song of RogueRobin (2020). https:\/\/www.ironnet.com\/blog\/dns-tunneling-series-part-3-the-siren-song-of-roguerobin"},{"key":"6_CR12","unstructured":"Kennedy, J., The BlackBerry Threat Research & Intelligence Team: Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat (2022). https:\/\/intezer.com\/blog\/research\/new-linux-threat-symbiote\/"},{"key":"6_CR13","unstructured":"Kacherginsky, P.: DNSChef (2023). https:\/\/github.com\/iphelix\/dnschef"},{"key":"6_CR14","doi-asserted-by":"crossref","unstructured":"Kiltz, S., Dittmann, J., Loewe, F., et\u00a0al.: Forensic image trace map for image-stego-malware analysis: Validation of the effectiveness with structured image sets. In: Proceedings of the IHMMSec, pp. 125\u2013130. ACM (2024)","DOI":"10.1145\/3658664.3659659"},{"key":"6_CR15","doi-asserted-by":"crossref","unstructured":"Kn\u00f6chel, M., Karius, S.: Text steganography methods and their influence in malware: a comprehensive overview and evaluation. In: Proceedings of IHMMSec, pp. 113\u2013124. ACM (2024)","DOI":"10.1145\/3658664.3659637"},{"key":"6_CR16","doi-asserted-by":"crossref","unstructured":"Loganathan, G., Samarabandu, J., Wang, X.: Sequence to sequence pattern learning algorithm for real-time anomaly detection in network traffic. In: Canadian Conference on Electrice & Computing Engineering (CCECE), pp. 1\u20134 (2018)","DOI":"10.1109\/CCECE.2018.8447597"},{"key":"6_CR17","doi-asserted-by":"crossref","unstructured":"Machmeier, S., Heuveline, V.: Detecting DNS tunnelling and data exfiltration using dynamic time warping. In: Cyber Security in Network Conference, pp. 83\u201391 (2024)","DOI":"10.1109\/CSNet64211.2024.10851475"},{"key":"6_CR18","unstructured":"Malwarebytes. Saitama (2022). https:\/\/www.threatdown.com\/blog\/apt34-targets-jordan-government-using-new-saitama-backdoor\/"},{"key":"6_CR19","unstructured":"Mazurczyk, W., Wendzel, S., Zander, S., Houmansadr, A., Szczypiorski, K.: Information Hiding in Communication Networks. Wiley (2016)"},{"issue":"2","key":"6_CR20","doi-asserted-by":"publisher","first-page":"45","DOI":"10.2478\/s13537-014-0205-6","volume":"4","author":"A Mileva","year":"2014","unstructured":"Mileva, A., Panajotov, B.: Covert channels in TCP\/IP protocol stack-extended version. Open Comput. Sci. 4(2), 45\u201366 (2014)","journal-title":"Open Comput. Sci."},{"key":"6_CR21","unstructured":"MITRE ATT &CK. DarkHydrus (2023). https:\/\/attack.mitre.org\/groups\/G0079\/"},{"key":"6_CR22","unstructured":"MITRE ATT &CK. Hijack Execution Flow: Dynamic Linker Hijacking (2023). https:\/\/attack.mitre.org\/techniques\/T1574\/006\/"},{"key":"6_CR23","unstructured":"Palo Alto Networks. RogueRobin (2018). https:\/\/unit42.paloaltonetworks.com\/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government\/"},{"key":"6_CR24","unstructured":"R. Bowes & Contrib. DNSCat2 (2024). https:\/\/github.com\/iagox86\/dnscat2"},{"key":"6_CR25","unstructured":"Sch\u00fcppen, S., Teubert, D., Herrmann, P., Meyer, U.: FANCI: feature-based automated NXDomain classification and intelligence. In: Proceedings of the USENIX Security \u201918, pp. 1165\u20131181. USENIX Assoc. (2018)"},{"key":"6_CR26","doi-asserted-by":"crossref","unstructured":"Strachanski, F., Petrov, D., Schmidbauer, T., Wendzel, S.: A comprehensive pattern-based overview of stegomalware. In: Proceedings of the ARES \u201924. ACM (2024)","DOI":"10.1145\/3664476.3670886"},{"key":"6_CR27","doi-asserted-by":"crossref","unstructured":"Wendzel, S., Zander, S., Fechner, B., Herdin, C.: Pattern-based survey and categorization of network covert channel techniques. ACM Comput. Surv. 47(3) (2015)","DOI":"10.1145\/2684195"},{"issue":"3","key":"6_CR28","doi-asserted-by":"publisher","first-page":"44","DOI":"10.1109\/COMST.2007.4317620","volume":"9","author":"S Zander","year":"2007","unstructured":"Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Commun. Surv. Tutor. 9(3), 44\u201357 (2007)","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"6_CR29","doi-asserted-by":"crossref","unstructured":"Zillien, S., Petrov, D., Ruffing, P., Gross, F.: A development framework for TCP\/IP network steganography malware detection. In: Proceedings of the IHMMSec, pp. 95\u2013100. ACM (2024)","DOI":"10.1145\/3658664.3659651"},{"issue":"6","key":"6_CR30","doi-asserted-by":"publisher","first-page":"1865","DOI":"10.1007\/s10207-023-00723-w","volume":"22","author":"K \u017di\u017ea","year":"2023","unstructured":"\u017di\u017ea, K., Tadi\u0107, P., Vuleti\u0107, P.: DNS exfiltration detection in the presence of adversarial attacks and modified exfiltrator behaviour. Int. J. Inf. Secur. 22(6), 1865\u20131880 (2023)","journal-title":"Int. J. Inf. Secur."}],"container-title":["Lecture Notes in Computer Science","Availability, Reliability and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-00624-0_6","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,8]],"date-time":"2025-09-08T19:51:27Z","timestamp":1757361087000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-00624-0_6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783032006233","9783032006240"],"references-count":30,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-00624-0_6","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"10 August 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"The authors have no competing interests to declare that are relevant to the content of this article.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Disclosure of Interests"}},{"value":"ARES","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Availability, Reliability and Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Ghent","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Belgium","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 August 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 August 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ares-12025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/2025.ares-conference.eu","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}