{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T07:59:19Z","timestamp":1780473559358,"version":"3.54.1"},"reference-count":35,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2025,9,8]],"date-time":"2025-09-08T00:00:00Z","timestamp":1757289600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Italian Recovery and Resilience Plan (PNRR)"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"<jats:p>Artificial Intelligence (AI) and Machine Learning (ML) are employed in numerous fields and applications. Even if most of these approaches offer a very good performance, they are affected by the \u201cblack-box\u201d problem. The way they operate and make decisions is complex and difficult for human users to interpret, making the systems impossible to manually adjust in case they make trivial (from a human viewpoint) errors. In this paper, we show how a \u201cwhite-box\u201d approach based on eXplainable AI (XAI) can be applied to the Domain Name System (DNS) tunneling detection problem, a cybersecurity problem already successfully addressed by \u201cblack-box\u201d approaches, in order to make the detection explainable. The obtained results show that the proposed solution can achieve a performance comparable to the one offered by an autoencoder-based solution while offering a clear view of how the system makes its choices and the possibility of manual analysis and adjustments.<\/jats:p>","DOI":"10.3390\/computers14090375","type":"journal-article","created":{"date-parts":[[2025,9,9]],"date-time":"2025-09-09T12:15:17Z","timestamp":1757420117000},"page":"375","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Rule-Based eXplainable Autoencoder for DNS Tunneling Detection"],"prefix":"10.3390","volume":"14","author":[{"given":"Giacomo","family":"De Bernardi","sequence":"first","affiliation":[{"name":"IEIIT Institute, Italian National Research Council (CNR), 16149 Genoa, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6404-2451","authenticated-orcid":false,"given":"Giovanni Battista","family":"Gaggero","sequence":"additional","affiliation":[{"name":"Department of Electrical, Electronics and Telecommunications Engineering and Naval Architecture (DITEN), University of Genoa, 16145 Genoa, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0983-9131","authenticated-orcid":false,"given":"Fabio","family":"Patrone","sequence":"additional","affiliation":[{"name":"Department of Electrical, Electronics and Telecommunications Engineering and Naval Architecture (DITEN), University of Genoa, 16145 Genoa, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Sandro","family":"Zappatore","sequence":"additional","affiliation":[{"name":"Department of Electrical, Electronics and Telecommunications Engineering and Naval Architecture (DITEN), University of Genoa, 16145 Genoa, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9626-3483","authenticated-orcid":false,"given":"Mario","family":"Marchese","sequence":"additional","affiliation":[{"name":"Department of Electrical, Electronics and Telecommunications Engineering and Naval Architecture (DITEN), University of Genoa, 16145 Genoa, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Maurizio","family":"Mongelli","sequence":"additional","affiliation":[{"name":"IEIIT Institute, Italian National Research Council (CNR), 16149 Genoa, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2025,9,8]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"15","DOI":"10.58496\/BJML\/2024\/002","article-title":"Intrusion Detection System Based on Machine Learning Algorithms:(SVM and Genetic Algorithm)","volume":"2024","author":"Alsajri","year":"2024","journal-title":"Babylon. J. Mach. Learn."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"106229","DOI":"10.1016\/j.conengprac.2024.106229","article-title":"Process monitoring for tower pumping units under variable operational conditions: From an integrated multitasking perspective","volume":"156","author":"Zhang","year":"2025","journal-title":"Control Eng. Pract."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"109950","DOI":"10.1016\/j.ress.2024.109950","article-title":"Multi-hop graph pooling adversarial network for cross-domain remaining useful life prediction: A distributed federated learning perspective","volume":"244","author":"Zhang","year":"2024","journal-title":"Reliab. Eng. Syst. Saf."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Xu, F., Uszkoreit, H., Du, Y., Fan, W., Zhao, D., and Zhu, J. (2019, January 9\u201314). Explainable AI: A brief survey on history, research areas, approaches and challenges. Proceedings of the International Conference on Natural Language Processing and Chinese Computing (NLPCC), Dunhuang, China.","DOI":"10.1007\/978-3-030-32236-6_51"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"76243","DOI":"10.1109\/ACCESS.2022.3191907","article-title":"On the Intersection of Explainable and Reliable AI for physical fatigue prediction","volume":"10","author":"Narteni","year":"2022","journal-title":"IEEE Access"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"3473","DOI":"10.1007\/s10462-022-10256-8","article-title":"A global taxonomy of interpretable AI: Unifying the terminology for the technical and social sciences","volume":"56","author":"Graziani","year":"2023","journal-title":"Artif. Intell. Rev."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"154096","DOI":"10.1109\/ACCESS.2019.2949286","article-title":"Black-box vs. white-box: Understanding their advantages and weaknesses from a practical point of view","volume":"7","year":"2019","journal-title":"IEEE Access"},{"key":"ref_8","unstructured":"Mockapetris, P.V. (2025, June 05). RFC1035: Domain Names-Implementation and Specification. Available online: https:\/\/datatracker.ietf.org\/doc\/html\/rfc1035."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"108919","DOI":"10.1016\/j.comnet.2022.108919","article-title":"Detecting DNS over HTTPS based data exfiltration","volume":"209","author":"Zhan","year":"2022","journal-title":"Comput. Netw."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"108322","DOI":"10.1016\/j.comnet.2021.108322","article-title":"A comprehensive survey on DNS tunnel detection","volume":"197","author":"Wang","year":"2021","journal-title":"Comput. Netw."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1109\/TNSM.2019.2940735","article-title":"Monitoring Enterprise DNS Queries for Detecting Data Exfiltration from Internal Hosts","volume":"17","author":"Ahmed","year":"2020","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_12","first-page":"12762","article-title":"Comparative Analysis for Detecting DNS Tunneling Using Machine Learning Techniques","volume":"12","author":"Sammour","year":"2017","journal-title":"Int. J. Appl. Eng. Res."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Das, A., Shen, M.Y., Shashanka, M., and Wang, J. (2017, January 18\u201321). Detection of exfiltration and tunneling over DNS. Proceedings of the International Conference on Machine Learning and Applications (ICMLA), Cancun, Mexico.","DOI":"10.1109\/ICMLA.2017.00-71"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Wu, K., Zhang, Y., and Yin, T. (2020\u20131, January 29). FTPB: A Three-stage DNS Tunnel Detection Method Based on Character Feature Extraction. Proceedings of the International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China.","DOI":"10.1109\/TrustCom50675.2020.00044"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1987","DOI":"10.1002\/dac.2836","article-title":"DNS tunneling detection through statistical fingerprints of protocol messages and machine learning","volume":"28","author":"Aiello","year":"2015","journal-title":"Int. J. Commun. Syst."},{"key":"ref_16","unstructured":"(2025, June 05). Open Data of DNS Tunneling. Available online: https:\/\/github.com\/mopamopa\/DNS-tunneling."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Cambiaso, E., Aiello, M., Mongelli, M., and Papaleo, G. (2016, January 5\u20138). Feature transformation and Mutual Information for DNS tunneling analysis. Proceedings of the International Conference on Ubiquitous and Future Networks (ICUFN), Vienna, Austria.","DOI":"10.1109\/ICUFN.2016.7536939"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1002\/itl2.85","article-title":"Unsupervised learning and rule extraction for Domain Name Server tunneling detection","volume":"2","author":"Aiello","year":"2019","journal-title":"Internet Technol. Lett."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"2339","DOI":"10.1109\/TIFS.2022.3183390","article-title":"An explainable AI-based intrusion detection system for DNS over HTTPS (DoH) attacks","volume":"17","author":"Zebin","year":"2022","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_20","unstructured":"(2025, June 05). CIRA-CIC-DoHBrw-2020. Available online: https:\/\/github.com\/doh-traffic-dataset\/CIRA-CIC-DoHBrw-2020-and-DoH-Tunnel-Traffic-HKD."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Liu, J., Li, S., Zhang, Y., Xiao, J., Chang, P., and Peng, C. (2017, January 1\u20134). Detecting DNS tunnel through binary-classification based on behavior features. Proceedings of the Trustcom\/BigDataSE\/ICESS, Sydney, NSW, Australia.","DOI":"10.1109\/Trustcom\/BigDataSE\/ICESS.2017.256"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Yang, Z., Hongzhi, Y., Lingzi, L., Cheng, H., and Tao, Z. (2020, January 27\u201330). Detecting DNS Tunnels Using Session Behavior and Random Forest Method. Proceedings of the International Conference on Data Science in Cyberspace (DSC), Hong Kong, China.","DOI":"10.1109\/DSC50466.2020.00015"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1016\/j.cose.2018.09.006","article-title":"Detection of malicious and low throughput data exfiltration over the DNS protocol","volume":"80","author":"Nadler","year":"2019","journal-title":"Comput. Secur."},{"key":"ref_24","unstructured":"Born, K., and Gustafson, D. (2010). Detecting DNS tunnels using character frequency analysis. arXiv."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Luo, M., Wang, Q., Yao, Y., Wang, X., Yang, P., and Jiang, Z. (2020, January 7\u201310). Towards Comprehensive Detection of DNS Tunnels. Proceedings of the Symposium on Computers and Communications (ISCC), Rennes, France.","DOI":"10.1109\/ISCC50000.2020.9219547"},{"key":"ref_26","unstructured":"(2025, June 05). Dns2tcp. Available online: https:\/\/github.com\/alex-sector\/dns2tcp."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Bank, D., Koenigstein, N., and Giryes, R. (2023). Autoencoders. Machine Learning for Data Science Handbook: Data Mining and Knowledge Discovery Handbook, Springer.","DOI":"10.1007\/978-3-031-24628-9_16"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Michelucci, U. (2022). An introduction to autoencoders. arXiv.","DOI":"10.1007\/978-1-4842-8020-1_9"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"93575","DOI":"10.1109\/ACCESS.2022.3204171","article-title":"Explainable Artificial Intelligence in CyberSecurity: A Survey","volume":"10","author":"Capuano","year":"2022","journal-title":"IEEE Access"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"93104","DOI":"10.1109\/ACCESS.2022.3204051","article-title":"Explainable artificial intelligence applications in cyber security: State-of-the-art in research","volume":"10","author":"Zhang","year":"2022","journal-title":"IEEE Access"},{"key":"ref_31","unstructured":"Muselli, M. (2005, January 8\u201311). Switching neural networks: A new connectionist model for classification. Proceedings of the Italian Workshop on Neural Nets (WIRN) and International Workshop on Natural and Artificial Immune Systems (NAIS), Vietri sul Mare, Italy."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Parodi, S., Filiberti, R., Marroni, P., Libener, R., Ivaldi, G.P., Mussap, M., Ferrari, E., Manneschi, C., Montani, E., and Muselli, M. (2015). Differential diagnosis of pleural mesothelioma using Logic Learning Machine. BMC Bioinform., 16.","DOI":"10.1186\/1471-2105-16-S9-S3"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"James, G., Witten, D., Hastie, T., Tibshirani, R., James, G., Witten, D., Hastie, T., and Tibshirani, R. (2021). Statistical learning. An Introduction to Statistical Learning: With Applications in R, Springer.","DOI":"10.1007\/978-1-0716-1418-1"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1109\/MIS.2022.3159098","article-title":"Sensitivity of Logic Learning Machine for Reliability in Safety-Critical Systems","volume":"37","author":"Narteni","year":"2022","journal-title":"IEEE Intell. Syst."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Cangelosi, D., Blengio, F., Versteeg, R., Eggert, A., Garaventa, A., Gambini, C., Conte, M., Eva, A., Muselli, M., and Varesio, L. (2013). Logic Learning Machine creates explicit and stable rules stratifying neuroblastoma patients. BMC Bioinform., 14.","DOI":"10.1186\/1471-2105-14-S7-S12"}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/9\/375\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:42:04Z","timestamp":1760035324000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/9\/375"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,8]]},"references-count":35,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2025,9]]}},"alternative-id":["computers14090375"],"URL":"https:\/\/doi.org\/10.3390\/computers14090375","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,9,8]]}}}