{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:32:38Z","timestamp":1760059958940,"version":"build-2065373602"},"reference-count":28,"publisher":"MDPI AG","issue":"7","license":[{"start":{"date-parts":[[2025,7,21]],"date-time":"2025-07-21T00:00:00Z","timestamp":1753056000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Science and Technology Innovation Program for Postgraduate students in IDP","award":["ZY20250327","CMGBKY202407"],"award-info":[{"award-number":["ZY20250327","CMGBKY202407"]}]},{"name":"China Metallurgical Geology Bureau","award":["ZY20250327","CMGBKY202407"],"award-info":[{"award-number":["ZY20250327","CMGBKY202407"]}]},{"name":"Shaoguan Data Industry Research Institute","award":["ZY20250327","CMGBKY202407"],"award-info":[{"award-number":["ZY20250327","CMGBKY202407"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>The covert nature of DNS covert channels makes them a widely utilized method for data exfiltration by malicious attackers. In response to this challenge, the present study proposes a detection methodology for DNS covert channels that employs a Deep Boltzmann Machine with Enhanced Security (DBM-ENSec). This approach entails the creation of a dataset through the collection of malicious traffic associated with various DNS covert channel attacks. Time-dependent grouping features are excluded, and feature optimization is conducted on individual traffic data through feature selection and normalization to minimize redundancy, enhancing the differentiation and stability of the features. The result of this process is the extraction of 23-dimensional features for each DNS packet. The extracted features are converted to gray scale images to improve the interpretability of the model and then fed into an improved Deep Boltzmann Machine for further optimization. The optimized features are then processed by an ensemble of classifiers (including Random Forest, XGBoost, LightGBM, and CatBoost) for detection purposes. Experimental results show that the proposed method achieves 99.92% accuracy in detecting DNS covert channels, with a validation accuracy of up to 98.52% on publicly available datasets.<\/jats:p>","DOI":"10.3390\/fi17070319","type":"journal-article","created":{"date-parts":[[2025,7,21]],"date-time":"2025-07-21T17:27:36Z","timestamp":1753118856000},"page":"319","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["An Improved Approach to DNS Covert Channel Detection Based on DBM-ENSec"],"prefix":"10.3390","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-7327-7978","authenticated-orcid":false,"given":"Xinyu","family":"Li","sequence":"first","affiliation":[{"name":"School of Information Engineering, Institute of Disaster Prevention, Langfang 065201, China"},{"name":"Langfang Key Laboratory of Network Emergency Protection and Network Security, Langfang 065201, China"}]},{"given":"Xiaoying","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Institute of Disaster Prevention, Langfang 065201, China"},{"name":"Langfang Key Laboratory of Network Emergency Protection and Network Security, Langfang 065201, China"}]},{"given":"Guoqing","family":"Yang","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Institute of Disaster Prevention, Langfang 065201, China"},{"name":"Langfang Key Laboratory of Network Emergency Protection and Network Security, Langfang 065201, China"}]},{"given":"Jinsha","family":"Zhang","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Institute of Disaster Prevention, Langfang 065201, China"},{"name":"Langfang Key Laboratory of Network Emergency Protection and Network Security, Langfang 065201, China"}]},{"given":"Chunhui","family":"Li","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Institute of Disaster Prevention, Langfang 065201, China"},{"name":"Langfang Key Laboratory of Network Emergency Protection and Network Security, Langfang 065201, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-9655-5048","authenticated-orcid":false,"given":"Fangfang","family":"Cui","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Institute of Disaster Prevention, Langfang 065201, China"},{"name":"Langfang Key Laboratory of Network Emergency Protection and Network Security, Langfang 065201, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-6044-1617","authenticated-orcid":false,"given":"Ruize","family":"Gu","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Institute of Disaster Prevention, Langfang 065201, China"},{"name":"Langfang Key Laboratory of Network Emergency Protection and Network Security, Langfang 065201, China"}]}],"member":"1968","published-online":{"date-parts":[[2025,7,21]]},"reference":[{"key":"ref_1","first-page":"21","article-title":"The domain name system\u2014Past, present, and future","volume":"30","author":"Pope","year":"2012","journal-title":"Commun. Assoc. Inf. Syst."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3547331","article-title":"A survey on DNS encryption: Current development, malware misuse, and inference techniques","volume":"55","author":"Lyu","year":"2022","journal-title":"ACM Comput. Surv."},{"key":"ref_3","unstructured":"Coker, J. (2025, March 18). 72% of Organizations Experienced a DNS Attack in the Past Year. Available online: https:\/\/www.infosecurity-magazine.com\/news\/72-orgs-dns-attack-last-year\/."},{"key":"ref_4","unstructured":"Fouchereau, R. (2025, March 18). IDC 2023 Global DNS Threat Report. Available online: https:\/\/efficientip.com\/resources\/cyber-threat-intelligence-idc-2023-global-dns-threat-report\/."},{"key":"ref_5","first-page":"76","article-title":"Requested domain name-based DNS covert channel detection","volume":"19","author":"Zhang","year":"2019","journal-title":"Netinfo Secur."},{"key":"ref_6","first-page":"1753","article-title":"Detection of DNS tunnels based on log statistics feature","volume":"54","author":"Qi","year":"2020","journal-title":"J. Zhejiang Univ."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"102095","DOI":"10.1016\/j.cose.2020.102095","article-title":"DNS covert channel detection method using the LSTM model","volume":"104","author":"Chen","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_8","first-page":"73","article-title":"DNS covert channel detection based on graph attention network","volume":"23","author":"Shen","year":"2023","journal-title":"Netinfo Secur."},{"key":"ref_9","first-page":"31","article-title":"Transformer-Based Detection Method for DNS Covert Channel","volume":"19","author":"Sun","year":"2023","journal-title":"Proceeds Sci."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Bykov, N., and Chernyshov, Y. (2024, January 13). Detecting DNS Tunnels Using Machine Learning. Proceedings of the 2024 IEEE Ural-Siberian Conference on Biomedical Engineering, Radioelectronics and Information Technology, Yekaterinburg, Russian.","DOI":"10.1109\/USBEREIT61901.2024.10584043"},{"key":"ref_11","first-page":"143","article-title":"Detecting DNS-based covert channel on live traffic","volume":"34","author":"Zhang","year":"2013","journal-title":"J. China Inst. Commun."},{"key":"ref_12","first-page":"169","article-title":"Identification of DNS covert channel based on improved convolutional neural network","volume":"41","author":"Zhang","year":"2020","journal-title":"J. Commun."},{"key":"ref_13","unstructured":"Saeli, S., Bisio, F., Lombardo, P., and Massa, D. (2010). DNS covert channel detection via behavioral analysis: A machine learning approach. arXiv."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"37","DOI":"10.17706\/IJCCE.2021.10.2.37-51","article-title":"Identification of DNS covert channel based on stacking method","volume":"10","author":"Yang","year":"2021","journal-title":"Int. J. Comput. Commun. Eng."},{"key":"ref_15","first-page":"60","article-title":"DNS covert channel detection method based on LSTM","volume":"41","author":"Chen","year":"2022","journal-title":"Inf. Technol. Netw. Secur."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Wang, Y., Shen, C., Hou, D., Xiong, X., and Li, Y. (2022). FF-MR: A DoH-encrypted DNS covert channel detection method based on feature fusion. Appl. Sci., 12.","DOI":"10.3390\/app122412644"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Diao, J., Fang, B., Cui, X., Wang, Z., Wang, T., and Song, S. (2022, January 9). From Passive to Active: Near-optimal DNS-based Data Exfiltration Defense Method Based on Sticky Mechanism. Proceedings of the 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Wuhan, China.","DOI":"10.1109\/TrustCom56396.2022.00032"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Zhang, S., Han, Z., and Jiang, K. (2023, January 14). Detection of Data Leakage Based on DNS Traffic. Proceedings of the 2023 IEEE 5th International Conference on Power, Intelligent Computing and Systems, Shenyang, China.","DOI":"10.1109\/ICPICS58376.2023.10235404"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"592","DOI":"10.1093\/jigpal\/jzs029","article-title":"Performance assessment and analysis of DNS tunneling tools","volume":"21","author":"Aiello","year":"2013","journal-title":"Log. J. IGPL"},{"key":"ref_20","first-page":"287","article-title":"A malicious domain detection approach based on character and resolution features","volume":"35","author":"Huang","year":"2018","journal-title":"Comput. Simul."},{"key":"ref_21","first-page":"66","article-title":"Research on domain flux botnet domain name detection method based on weighted support vector machine","volume":"12","author":"Song","year":"2018","journal-title":"Inf. Netw. Secur."},{"key":"ref_22","first-page":"448","article-title":"Deep boltzmann machines","volume":"15","author":"Salakhutdinov","year":"2009","journal-title":"Ina. Intell. Stat."},{"key":"ref_23","unstructured":"Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A.N., Kaiser, \u0141., and Polosukhin, I. (2017). Attention is all you need. Advances in neural information processing systems. arXiv."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"1947","DOI":"10.1021\/ci034160g","article-title":"Random forest: A classification and regression tool for compound classification and QSAR modeling","volume":"43","author":"Svetnik","year":"2003","journal-title":"J. Chem. Inf. Comput. Sci."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Chen, T., and Guestrin, C. (2016, January 13). Xgboost: A scalable tree boosting system. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, USA.","DOI":"10.1145\/2939672.2939785"},{"key":"ref_26","first-page":"3149","article-title":"Lightgbm: A highly efficient gradient boosting decision tree","volume":"30","author":"Ke","year":"2017","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_27","unstructured":"(2025, March 18). Canadian Institute for CyberSecur. Available online: https:\/\/www.unb.ca\/cic\/datasets\/dns-exf-2021.html."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Mahdavifar, S., Hanafy Salem, A., Victor, P., Razavi, A.H., Garzon, M., Hellberg, N., and Lashkari, A.H. (2021, January 3). Lightweight hybrid detection of data exfiltration using dns based on machine learning. Proceedings of the 2021 11th International Conference on Communication and Network Security, Weihai, China.","DOI":"10.1145\/3507509.3507520"}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/7\/319\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:13:34Z","timestamp":1760033614000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/7\/319"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,21]]},"references-count":28,"journal-issue":{"issue":"7","published-online":{"date-parts":[[2025,7]]}},"alternative-id":["fi17070319"],"URL":"https:\/\/doi.org\/10.3390\/fi17070319","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2025,7,21]]}}}