{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T07:00:15Z","timestamp":1775631615327,"version":"3.50.1"},"reference-count":40,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2025,5,7]],"date-time":"2025-05-07T00:00:00Z","timestamp":1746576000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>DNS over HTTPS (DoH) is an advanced version of the traditional DNS protocol that prevents eavesdropping and man-in-the-middle attacks by encrypting queries and responses. However, it introduces new challenges such as encrypted traffic communication, masking malicious activity, tunneling attacks, and complicating intrusion detection system (IDS) packet inspection. In contrast, unencrypted packets in the traditional Non-DoH version remain vulnerable to eavesdropping, privacy breaches, and spoofing. To address these challenges, an optimized dual-path feature selection approach is designed to select the most efficient packet features for binary class (DoH-Normal, DoH-Malicious) and multiclass (Non-DoH, DoH-Normal, DoH-Malicious) classification. Ant Colony Optimization (ACO) is integrated with machine learning algorithms such as XGBoost, K-Nearest Neighbors (KNN), Random Forest (RF), and Convolutional Neural Networks (CNNs) using CIRA-CIC-DoHBrw-2020 as the benchmark dataset. Experimental results show that the proposed model selects the most effective features for both scenarios, achieving the highest detection and outperforming previous studies in IDS. The highest accuracy obtained for binary and multiclass classifications was 0.9999 and 0.9955, respectively. The optimized feature set contributed significantly to reducing computational costs and processing time across all utilized classifiers. The results provide a robust, fast, and accurate solution to challenges associated with encrypted DNS packets.<\/jats:p>","DOI":"10.3390\/fi17050211","type":"journal-article","created":{"date-parts":[[2025,5,7]],"date-time":"2025-05-07T08:20:53Z","timestamp":1746606053000},"page":"211","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["DNS over HTTPS Tunneling Detection System Based on Selected Features via Ant Colony Optimization"],"prefix":"10.3390","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6042-0064","authenticated-orcid":false,"given":"Hardi Sabah","family":"Talabani","sequence":"first","affiliation":[{"name":"Department of Computer Scince, College of Scinence, Charmo University, Sulaimaniyah, Chamchamal 46023, Iraq"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6586-8642","authenticated-orcid":false,"given":"Zrar Khalid","family":"Abdul","sequence":"additional","affiliation":[{"name":"Department of Computer Scince, College of Scinence, Charmo University, Sulaimaniyah, Chamchamal 46023, Iraq"},{"name":"Department of Software Engineering, Faculty of Engineering, Koya University, Koya 44023, Iraq"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9766-9100","authenticated-orcid":false,"given":"Hardi Mohammed","family":"Mohammed Saleh","sequence":"additional","affiliation":[{"name":"Department of Computer Scince, College of Scinence, Charmo University, Sulaimaniyah, Chamchamal 46023, Iraq"}]}],"member":"1968","published-online":{"date-parts":[[2025,5,7]]},"reference":[{"key":"ref_1","unstructured":"(2024, December 16). Security Market Size, Share & Trends Analysis Report. 2030. Available online: https:\/\/www.grandviewresearch.com\/industry-analysis\/security-market."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"122136","DOI":"10.1109\/ACCESS.2022.3223444","article-title":"Mel Frequency Cepstral Coefficient and Its Applications: A Review","volume":"10","author":"Abdul","year":"2022","journal-title":"IEEE Access"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Ir\u00e9n\u00e9e, M., Wang, Y., Hei, X., Song, X., Turiho, J.C., and Nyesheja, E.M. (2023). XTS: A Hybrid Framework to Detect DNS-Over-HTTPS Tunnels Based on XGBoost and Cooperative Game Theory. Mathematics, 11.","DOI":"10.3390\/math11102372"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"6608","DOI":"10.1109\/TITS.2021.3058553","article-title":"An Intrusion Detection Method Based on Machine Learning and State Observer for Train-Ground Communication Systems","volume":"23","author":"Gao","year":"2022","journal-title":"IEEE Trans. Intell. Transp. Syst."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Koshy, A.M., Yellur, G., Kammachi, H.J., Isha, V.P., Kumar, R.P., and Moharir, M. (2021, January 7\u20138). An Insight into Encrypted DNS Protocol: DNS over TLS. Proceedings of the 2021 4th International Conference on Recent Developments in Control, Automation & Power Engineering (RDCAPE), Noida, India.","DOI":"10.1109\/RDCAPE52977.2021.9633480"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"50000","DOI":"10.1109\/ACCESS.2023.3275744","article-title":"DNS Over HTTPS Detection Using Standard Flow Telemetry","volume":"11","author":"Jerabek","year":"2023","journal-title":"IEEE Access"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"27237","DOI":"10.1109\/ACCESS.2024.3367004","article-title":"A Systematic Literature Review on Host-Based Intrusion Detection Systems","volume":"12","author":"Satilmis","year":"2024","journal-title":"IEEE Access"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Abu Al-Haija, Q., Alohaly, M., and Odeh, A. (2023). A Lightweight Double-Stage Scheme to Identify Malicious DNS over HTTPS Traffic Using a Hybrid Learning Approach. Sensors, 23.","DOI":"10.3390\/s23073489"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"2429","DOI":"10.1109\/COMST.2021.3105741","article-title":"Thirty Years of DNS Insecurity: Current Issues and Perspectives","volume":"23","author":"Schmid","year":"2021","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"18499","DOI":"10.1109\/ACCESS.2023.3247135","article-title":"Phishing or Not Phishing? A Survey on the Detection of Phishing Websites","volume":"11","author":"Zieni","year":"2023","journal-title":"IEEE Access"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Balyan, A.K., Ahuja, S., Lilhore, U.K., Sharma, S.K., Manoharan, P., Algarni, A.D., Elmannai, H., and Raahemifar, K. (2022). A Hybrid Intrusion Detection Model Using EGA-PSO and Improved Random Forest Method. Sensors, 22.","DOI":"10.3390\/s22165986"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Alenezi, R., and Ludwig, S.A. (2021, January 5\u20137). Classifying DNS Tunneling Tools for Malicious DoH Traffic. Proceedings of the 2021 IEEE Symposium Series on Computational Intelligence, SSCI 2021\u2014Proceedings, Orlando, FL, USA.","DOI":"10.1109\/SSCI50451.2021.9660136"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"2402","DOI":"10.1109\/TNSM.2023.3334028","article-title":"An Autoencoder-Based Hybrid Detection Model for Intrusion Detection with Small-Sample Problem","volume":"21","author":"Wei","year":"2024","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_14","first-page":"46","article-title":"Detecting Malicious DNS over HTTPS Traffic in Domain Name System Using Machine Learning Classifiers","volume":"8","author":"Banadaki","year":"2020","journal-title":"J. Comput. Sci. Appl."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Preston, R. (2019, January 5\u20136). DNS Tunneling Detection with Supervised Learning. Proceedings of the 2019 IEEE International Symposium on Technologies for Homeland Security (HST), Woburn, MA, USA.","DOI":"10.1109\/HST47167.2019.9032913"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Singh, S.K., and Roy, P.K. (2020, January 20\u201321). Detecting Malicious DNS over HTTPS Traffic Using Machine Learning. Proceedings of the 2020 International Conference on Innovation and Intelligence for Informatics, Computing and Technologies (3ICT), Online.","DOI":"10.1109\/3ICT51146.2020.9312004"},{"key":"ref_17","unstructured":"Palau, F., Catania, C., Guerra, J., Garcia, S., and Rigaki, M. (2020). DNS Tunneling: A Deep Learning Based Lexicographical Detection Approach. arXiv."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Ramakrishnan, S., and Senthil Rajan, A. (2022). Network Attack Detection with QNNBADT in Minimal Response Times Using Minimized Features, Springer.","DOI":"10.1007\/978-981-16-3728-5_43"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"21265","DOI":"10.1007\/s11227-023-05444-4","article-title":"Improved Discrete Salp Swarm Algorithm Using Exploration and Exploitation Techniques for Feature Selection in Intrusion Detection Systems","volume":"79","author":"Barhoush","year":"2023","journal-title":"J. Supercomput."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Alibrahim, H., and Ludwig, S.A. (2021, January 5\u20137). Investigation of Domain Name System Attack Clustering Using Semi-Supervised Learning with Swarm Intelligence Algorithms. Proceedings of the 2021 IEEE Symposium Series on Computational Intelligence (SSCI), Orlando, FL, USA.","DOI":"10.1109\/SSCI50451.2021.9659954"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"102448","DOI":"10.1016\/j.cose.2021.102448","article-title":"An Effective Genetic Algorithm-Based Feature Selection Method for Intrusion Detection Systems","volume":"110","author":"Halim","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Varzaneh, Z.A., and Hosseini, S. (2024). An Improved Equilibrium Optimization Algorithm for Feature Selection Problem in Network Intrusion Detection. Sci. Rep., 14.","DOI":"10.1038\/s41598-024-67488-7"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"541","DOI":"10.1016\/j.jksuci.2018.03.011","article-title":"Anomaly Network-Based Intrusion Detection System Using a Reliable Hybrid Artificial Bee Colony and AdaBoost Algorithms","volume":"31","author":"Mazini","year":"2019","journal-title":"J. King Saud Univ.-Comput. Inf. Sci."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"28","DOI":"10.1109\/MCI.2006.329691","article-title":"Ant Colony Optimization","volume":"1","author":"Dorigo","year":"2006","journal-title":"IEEE Comput. Intell. Mag."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"6185","DOI":"10.1109\/ACCESS.2022.3233786","article-title":"Parallel Ant Colony Optimization Algorithm for Finding the Shortest Path for Mountain Climbing","volume":"11","author":"Alhenawi","year":"2023","journal-title":"IEEE Access"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Chen, T., and Guestrin, C. (2016, January 13\u201317). XGBoost: A Scalable Tree Boosting System. Proceedings of the KDD \u201816: The 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, USA.","DOI":"10.1145\/2939672.2939785"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"66","DOI":"10.21928\/uhdjst.v5n2y2021.pp66-74","article-title":"Comparative Study of Supervised Machine Learning Algorithms on Thoracic Surgery Patients Based on Ranker Feature Algorithms","volume":"5","author":"Abdulhadi","year":"2021","journal-title":"UHD J. Sci. Technol."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"110366","DOI":"10.1016\/j.asoc.2023.110366","article-title":"A Class-Specific Feature Selection and Classification Approach Using Neighborhood Rough Set and K-Nearest Neighbor Theories","volume":"143","author":"Sewwandi","year":"2023","journal-title":"Appl. Soft. Comput."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"31","DOI":"10.17849\/insm-47-01-31-39.1","article-title":"Random Forest","volume":"47","author":"Rigatti","year":"2017","journal-title":"J. Insur. Med."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"185","DOI":"10.25130\/tjps.v29i1.1618","article-title":"A Review of Various Machine Learning Techniques and Its Application on IoT and Cloud Computing","volume":"29","author":"Talabani","year":"2024","journal-title":"Tikrit J. Pure Sci."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Jha, H., Patel, I., Li, G., Cherukuri, A.K., and Thaseen, S. (2021, January 25\u201327). Detection of Tunneling in DNS over HTTPS. Proceedings of the 2021 7th International Conference on Signal Processing and Communication (ICSC), Noida, India.","DOI":"10.1109\/ICSC53193.2021.9673380"},{"key":"ref_32","unstructured":"(2024, December 17). DoHBrw 2020 | Datasets | Research | Canadian Institute for Cybersecurity | UNB. Available online: https:\/\/www.unb.ca\/cic\/datasets\/dohbrw-2020.html."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"109960","DOI":"10.1109\/ACCESS.2021.3102399","article-title":"A Comparative Performance Analysis of Data Resampling Methods on Imbalance Medical Data","volume":"9","author":"Khushi","year":"2021","journal-title":"IEEE Access"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"14623","DOI":"10.1007\/s00521-021-06103-6","article-title":"BenchMetrics: A Systematic Benchmarking Method for Binary Classification Performance Metrics","volume":"33","author":"Canbek","year":"2021","journal-title":"Neural Comput. Appl."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Talabani, H., and Avci, E. (2018, January 28\u201330). Performance Comparison of SVM Kernel Types on Child Autism Disease Database. Proceedings of the 2018 International Conference on Artificial Intelligence and Data Processing, IDAP 2018, Malatya, Turkey.","DOI":"10.1109\/IDAP.2018.8620924"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Althnian, A., AlSaeed, D., Al-Baity, H., Samha, A., Dris, A.B., Alzakari, N., Abou Elwafa, A., and Kurdi, H. (2021). Impact of Dataset Size on Classification Performance: An Empirical Evaluation in the Medical Domain. Appl. Sci., 11.","DOI":"10.3390\/app11020796"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"630","DOI":"10.1108\/WJE-10-2020-0527","article-title":"A New K-Means Grey Wolf Algorithm for Engineering Problems","volume":"18","author":"Mohammed","year":"2021","journal-title":"World J. Eng."},{"key":"ref_38","unstructured":"Altalabani, H.M. (2020). The Performance Comparison of Support Vector Machine Classification Kernel Functions on Medical Databases. [Master\u2019s Thesis]. Available online: https:\/\/acikbilim.yok.gov.tr\/handle\/20.500.12812\/402884."},{"key":"ref_39","unstructured":"(2024, December 17). The UNSW-NB15 Dataset | UNSW Research. Available online: https:\/\/research.unsw.edu.au\/projects\/unsw-nb15-dataset."},{"key":"ref_40","unstructured":"(2024, December 17). IDS 2012 | Datasets | Research | Canadian Institute for Cybersecurity | UNB. Available online: https:\/\/www.unb.ca\/cic\/datasets\/ids.html."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/5\/211\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:28:44Z","timestamp":1760030924000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/5\/211"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,5,7]]},"references-count":40,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2025,5]]}},"alternative-id":["fi17050211"],"URL":"https:\/\/doi.org\/10.3390\/fi17050211","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,5,7]]}}}