{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T07:00:08Z","timestamp":1775631608699,"version":"3.50.1"},"reference-count":42,"publisher":"Frontiers Media SA","license":[{"start":{"date-parts":[[2026,1,15]],"date-time":"2026-01-15T00:00:00Z","timestamp":1768435200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100019286","name":"Ajman University","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100019286","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100004768","name":"Universiti Teknikal Malaysia Melaka","doi-asserted-by":"publisher","award":["ANTARABANGSA(URMG)AJMAN\/2024\/FTMK\/A00069"],"award-info":[{"award-number":["ANTARABANGSA(URMG)AJMAN\/2024\/FTMK\/A00069"]}],"id":[{"id":"10.13039\/501100004768","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["frontiersin.org"],"crossmark-restriction":true},"short-container-title":["Front. Comput. Sci."],"abstract":"\n Introduction<\/jats:title>\n DNS tunneling remains a critical network threat, exploiting the inherent trust in the DNS protocol for unauthorized communication, data exfiltration, and firewall evasion.<\/jats:p>\n <\/jats:sec>\n \n Methods<\/jats:title>\n Addressing this challenge, this paper introduces a novel, hybrid feature selection framework that integrates the Random Forest classifier with an Enhanced Reinforcement Learning-Guided Grey Wolf Optimizer (EnhancedRLGWO). The EnhancedRLGWO employs a Dueling Deep Q-Network and strategic Opposition-Based Learning to intelligently navigate the feature space and identify an optimal, minimal subset.<\/jats:p>\n <\/jats:sec>\n \n Results<\/jats:title>\n Evaluated against the benchmark CIRA-CIC-DoHBrw-2020 dataset, the proposed approach achieved a state-of-the-art accuracy of 99.82% and a weighted F1-score of 99.79% using a highly compact subset of only 12 features. This performance significantly outperforms existing machine learning-based DNS tunneling detection systems, such as a hybrid feature selection model achieving 98.3% accuracy and a full 28-feature Random Forest baseline (98.50% accuracy). The experimental results showed the robustness of this method in identifying various types of DNS tunneling attacks, including Iodine, DNS2TCP, and DNScat2, while maintaining performance and accuracy.<\/jats:p>\n <\/jats:sec>","DOI":"10.3389\/fcomp.2025.1728980","type":"journal-article","created":{"date-parts":[[2026,1,15]],"date-time":"2026-01-15T06:26:09Z","timestamp":1768458369000},"update-policy":"https:\/\/doi.org\/10.3389\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Advanced DNS tunneling detection: a hybrid reinforcement learning and metaheuristic approach"],"prefix":"10.3389","volume":"7","author":[{"given":"Mahmoud","family":"Sammour","sequence":"first","affiliation":[{"name":"Faculty of Information and Communication Technology, Universiti Teknikal Malaysia Melaka (UTeM)","place":["Durian Tunggal, Malaysia"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mohd Fairuz Iskandar","family":"Othman","sequence":"additional","affiliation":[{"name":"Faculty of Information and Communication Technology, Universiti Teknikal Malaysia Melaka (UTeM)","place":["Durian Tunggal, Malaysia"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Aslinda","family":"Hassan","sequence":"additional","affiliation":[{"name":"Faculty of Information and Communication Technology, Universiti Teknikal Malaysia Melaka (UTeM)","place":["Durian Tunggal, Malaysia"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Omar","family":"Bhais","sequence":"additional","affiliation":[{"name":"Faculty of Artificial Intelligence and Cyber Security, Universiti Teknikal Malaysia Melaka (UTeM)","place":["Durian Tunggal, Malaysia"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mohammed Saad","family":"Talib","sequence":"additional","affiliation":[{"name":"Engineering & Technology\/Electrical & Information Engineering, University of Babylon","place":["Al Hillah, Iraq"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1965","published-online":{"date-parts":[[2026,1,15]]},"reference":[{"key":"B1","doi-asserted-by":"publisher","first-page":"266","DOI":"10.63180\/jcsra.thestap.2025.4.6","article-title":"Designing a robust machine learning-based framework for secure data transmission in internet of things (IoT) environments: a multifaceted approach to security challenges","volume":"2025","author":"Abdulateef","year":"2025","journal-title":"J. Cyber Secur. Risk Audit"},{"key":"B2","doi-asserted-by":"publisher","first-page":"59","DOI":"10.63180\/jsrm.thestap.2025.1.3","article-title":"Responsive machine learning framework and lightweight utensil of prevention of evasion attacks in the IoT-based IDS","volume":"2025","author":"Abu Laila","year":"2025","journal-title":"STAP J. Secur. Risk Manag"},{"key":"B3","doi-asserted-by":"publisher","first-page":"71","DOI":"10.63180\/jsrm.thestap.2025.1.4","article-title":"Optimizing intrusion detection systems through benchmarking of ensemble classifiers on diverse network attacks","volume":"2025","author":"Abu Laila","year":"2025","journal-title":"STAP J. Secur. Risk Manag"},{"key":"B4","doi-asserted-by":"publisher","first-page":"1467","DOI":"10.3390\/electronics12061467","article-title":"Real-time detection system for data exfiltration over DNS tunneling using machine learning","volume":"12","author":"Abualghanam","year":"2023","journal-title":"Electronics"},{"key":"B5","doi-asserted-by":"publisher","first-page":"1467","DOI":"10.3390\/electronics12061467","article-title":"Real-Time Detection System for Data Exfiltration over DNS Tunneling Using Machine Learning","volume":"12","author":"Abualghanam","year":"2023","journal-title":"Electronics"},{"key":"B6","article-title":"POPS: from history to mitigation of DNS cache poisoning attacks","author":"Afek","year":"2025","journal-title":"arXiv preprint arXiv:2501.13540"},{"key":"B7","doi-asserted-by":"publisher","first-page":"32945","DOI":"10.1007\/s11042-023-16956-9","article-title":"An ensemble framework for detection of DNS-Over-HTTPS (DOH) Traffic","volume":"83","author":"Aggarwal","year":"2024","journal-title":"Multimed. Tools Appl"},{"key":"B8","doi-asserted-by":"publisher","first-page":"e2320","DOI":"10.1002\/nem.2320","article-title":"Real-time encrypted traffic classification in programmable networks with P4 and machine learning","volume":"35","author":"Akem","year":"2025","journal-title":"Int. J. Netw. Manag"},{"key":"B9","doi-asserted-by":"publisher","first-page":"22","DOI":"10.63180\/jsrm.thestap.2025.1.2","article-title":"Cyber security risk management for threats in wireless LAN: a literature review","volume":"2025","author":"Alghareeb","year":"2025","journal-title":"STAP J. Secur. Risk Manag"},{"key":"B10","doi-asserted-by":"publisher","first-page":"45","DOI":"10.63180\/jsrm.thestap.2024.1.3","article-title":"Adaptive and context-aware authentication framework using edge AI and blockchain in future vehicular networks","volume":"2024","author":"Ali","year":"2024","journal-title":"STAP J. Secur. Risk Manag"},{"key":"B11","unstructured":"A new technique for detecting email spam risks using LSTM-particle swarm optimization algorithms\n \n 5482\n 5494\n \n \n Alkhdour\n T.\n \n \n Alrawashdeh\n R.\n \n \n Almaiah\n M.\n \n \n Al-Ali\n R.\n \n \n Salloum\n S.\n \n \n Aldahyani\n T. H.\n \n \n J. Theor. Appl. Inf. Technol\n 102\n 2024"},{"key":"B12","doi-asserted-by":"publisher","first-page":"3","DOI":"10.63180\/jsrm.thestap.2024.1.1","article-title":"Cyber risk management in the internet of things: frameworks, models, and best practices","volume":"2024","author":"Almaayah","year":"2024","journal-title":"STAP J. Secur. Risk Manag"},{"key":"B13","doi-asserted-by":"publisher","first-page":"2307","DOI":"10.5267\/j.ijdns.2024.6.001","article-title":"Detecting DDoS attacks using machine learning algorithms and feature selection methods","volume":"8","author":"Almaiah","year":"2024","journal-title":"Int. J. Data Netw. Sci"},{"key":"B14","doi-asserted-by":"publisher","first-page":"306","DOI":"10.63180\/jcsra.thestap.2025.4.9","article-title":"Leveraging ACO, GA, and GWO for enhancing port scan attack detection using machine learning","volume":"2025","author":"Almaiah","year":"2025","journal-title":"J. Cyber Secur. Risk Audit"},{"key":"B15","doi-asserted-by":"publisher","first-page":"3","DOI":"10.63180\/jsrm.thestap.2025.1.1","article-title":"Enhancing intrusion detection systems by using machine learning in smart cities: issues, challenges and future research direction","volume":"2025","author":"Almarshood","year":"2025","journal-title":"STAP J. Secur. Risk Manag"},{"key":"B16","doi-asserted-by":"publisher","first-page":"4","DOI":"10.63180\/jcsra.thestap.2025.3.2","article-title":"Adversarial attack detection in industrial control systems using LSTM-based intrusion detection and black-box defense strategies","volume":"2025","author":"Almedires","year":"2025","journal-title":"J. Cyber Secur. Risk Audit"},{"key":"B17","doi-asserted-by":"publisher","first-page":"296","DOI":"10.47852\/bonviewJCCE52024668","article-title":"Enhance URL defacement attack detection using particle swarm optimization and machine learning","volume":"4","author":"Almomani","year":"","journal-title":"J. Comput. Cogn. Eng"},{"key":"B18","doi-asserted-by":"publisher","first-page":"261","DOI":"10.58496\/MJBD\/2025\/017","article-title":"A robust model for android malware detection via ML and DL classifiers","volume":"2025","author":"Almomani","year":"","journal-title":"Mesopot. J. Big Data"},{"key":"B19","doi-asserted-by":"publisher","first-page":"85","DOI":"10.63180\/jsrm.thestap.2025.1.5","article-title":"Securing trust: rule-based defense against on\/off and collusion attacks in cloud environments","volume":"2025","author":"Al-Naamneh","year":"2025","journal-title":"STAP J. Secur. Risk Manag"},{"key":"B20","doi-asserted-by":"publisher","first-page":"15","DOI":"10.58496\/BJML\/2024\/002","article-title":"Intrusion detection system based on machine learning algorithms: (SVM and genetic algorithm)","volume":"2024","author":"Alsajri","year":"2024","journal-title":"Babylonian J. Mach. Learn"},{"key":"B21","doi-asserted-by":"publisher","first-page":"27","DOI":"10.63180\/jjic.thestap.2025.1.4","article-title":"Unsupervised text feature selection approach based on improved Prairie dog algorithm for the text clustering","volume":"2025","author":"Alshinwan","year":"2025","journal-title":"Jordanian J. Inform. Comput."},{"key":"B22","doi-asserted-by":"publisher","first-page":"47","DOI":"10.3390\/computers12030047","article-title":"Detection of DoH traffic tunnels using deep learning for encrypted traffic classification","volume":"12","author":"Alzighaibi","year":"2023","journal-title":"Computers"},{"key":"B23","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ITC-CSCC62988.2024.10628338","article-title":"\u201cMalicious traffic detection in DNS over HTTPS (DoH) using graph convolutional network,\u201d","volume-title":"2024 International Technical Conference on Circuits\/Systems, Computers, and Communications (ITC-CSCC)","author":"Boonyopakorn","year":"2024"},{"key":"B24","first-page":"52636","article-title":"A new hybrid CNN-LSTM model for detection of DNS tunneling attacks","volume":"12","author":"Bozkurt","year":"2024","journal-title":"IEEE Access"},{"key":"B25","doi-asserted-by":"crossref","first-page":"602","DOI":"10.1109\/USBEREIT61901.2024.10584043","article-title":"\u201cDetecting DNS tunnels using machine learning,\u201d","volume-title":"2024 IEEE Ural-Siberian Conference on Biomedical Engineering, Radioelectronics and Information Technology (USBEREIT)","author":"Bykov","year":"2024"},{"key":"B26","doi-asserted-by":"publisher","first-page":"e11","DOI":"10.1561\/116.00000058","article-title":"Malicious network traffic detection for DNS over HTTPS (DoH) using machine learning algorithms","volume":"12","author":"Casanova","year":"2023","journal-title":"APSIPA Trans. Signal Inf. Proc"},{"key":"B27","doi-asserted-by":"publisher","first-page":"23","DOI":"10.63180\/jcsra.thestap.2024.1.4","article-title":"Enhancing DDoS attack detection and mitigation in SDN using advanced machine learning techniques","volume":"2024","author":"Frederick","year":"2024","journal-title":"J. Cyber Secur. Risk Audit"},{"key":"B28","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ISDFS60797.2024.10527301","article-title":"\u201cDNS tunnel problem in cybersecurity,\u201d","volume-title":"2024 12th International Symposium on Digital Forensics and Security (ISDFS)","author":"G\u00fcrsoy","year":"2024"},{"key":"B29","doi-asserted-by":"publisher","first-page":"110959","DOI":"10.1016\/j.asoc.2023.110959","article-title":"Reinforcement learning-based comprehensive learning grey wolf optimizer for feature selection","volume":"147","author":"Hu","year":"2023","journal-title":"Appl. Soft Comput"},{"key":"B30","doi-asserted-by":"publisher","first-page":"54668","DOI":"10.1109\/ACCESS.2022.3175497","article-title":"Summary of DNS over HTTPS abuse","volume":"10","author":"Hynek","year":"2022","journal-title":"IEEE Access"},{"key":"B31","doi-asserted-by":"publisher","first-page":"50000","DOI":"10.1109\/ACCESS.2023.3275744","article-title":"DNS over HTTPS detection using standard flow telemetry","volume":"11","author":"Jerabek","year":"2023","journal-title":"IEEE Access"},{"key":"B32","doi-asserted-by":"publisher","first-page":"993","DOI":"10.3390\/s25040993","article-title":"MTL-DOHTA: multi-task learning-based DNS over HTTPS traffic analysis for enhanced network security","volume":"25","author":"Jung","year":"2025","journal-title":"Sensors"},{"key":"B33","doi-asserted-by":"publisher","first-page":"15346","DOI":"10.1109\/ACCESS.2025.3532353","article-title":"Reinforcement learning-based generative security framework for host intrusion detection","volume":"13","author":"Kim","year":"2025","journal-title":"IEEE Access"},{"key":"B34","doi-asserted-by":"publisher","first-page":"157","DOI":"10.3390\/fi12090157","article-title":"Internet of Things (IoT) cybersecurity: literature review and IoT cyber risk management","volume":"12","author":"Lee","year":"2020","journal-title":"Fut. Internet"},{"key":"B35","doi-asserted-by":"publisher","first-page":"178","DOI":"10.69593\/ajsteme.v4i03.105","article-title":"A review of machine learning and feature selection techniques for cybersecurity attack detection with a focus On DDoS attacks","volume":"4","author":"Roopesh","year":"2024","journal-title":"Acad. J. Sci. Technol. Eng. Mathem. Educ"},{"key":"B36","doi-asserted-by":"publisher","first-page":"77","DOI":"10.5267\/j.ijdns.2024.10.001","article-title":"Adoption deep learning approach using realistic synthetic data for enhancing network intrusion detection in intelligent vehicle systems","volume":"9","author":"Salloum","year":"2025","journal-title":"Int. J. Data Netw. Sci"},{"key":"B37","unstructured":"Sammour\n M.\n \n \n Enhanced Detection of DNS Tunnelling\n \n 2024"},{"key":"B38","doi-asserted-by":"publisher","first-page":"2130","DOI":"10.1038\/s41598-025-86118-4","article-title":"Optimizing cryptographic protocols against side channel attacks using WGAN-GP and genetic algorithms","volume":"15","author":"Singh","year":"2025","journal-title":"Sci. Rep"},{"key":"B39","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/3ICT51146.2020.9312004","article-title":"\u201cDetecting malicious DNS over HTTPS traffic using machine learning,\u201d","volume-title":"2020 International Conference on Innovation and Intelligence for Informatics, Computing and Technologies (3ICT)","author":"Singh","year":"2020"},{"key":"B40","doi-asserted-by":"publisher","first-page":"211","DOI":"10.3390\/fi17050211","article-title":"DNS over HTTPS tunneling detection system based on selected features via ant colony optimization","volume":"17","author":"Talabani","year":"2025","journal-title":"Fut. Internet"},{"key":"B41","doi-asserted-by":"publisher","first-page":"97224","DOI":"10.1038\/s41598-025-97224-8","article-title":"Grey wolf optimizer with self-repulsion strategy for feature selection","volume":"15","author":"Wang","year":"2025","journal-title":"Sci. Rep"},{"key":"B42","doi-asserted-by":"publisher","first-page":"108322","DOI":"10.1016\/j.comnet.2021.108322","article-title":"A comprehensive survey on DNS tunnel detection","volume":"197","author":"Wang","year":"2021","journal-title":"Comput. Netw"}],"container-title":["Frontiers in Computer Science"],"original-title":[],"link":[{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/fcomp.2025.1728980\/full","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,15]],"date-time":"2026-01-15T06:26:20Z","timestamp":1768458380000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/fcomp.2025.1728980\/full"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,15]]},"references-count":42,"alternative-id":["10.3389\/fcomp.2025.1728980"],"URL":"https:\/\/doi.org\/10.3389\/fcomp.2025.1728980","relation":{},"ISSN":["2624-9898"],"issn-type":[{"value":"2624-9898","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,15]]},"article-number":"1728980"}}