DNS over HTTPS Tunneling Detection System Based on Selected Features via Ant Colony Optimization

DNS over HTTPS Tunneling Detection System Based on Selected Features via Ant Colony Optimization

DNS over HTTPS (DoH) is an advanced version of the traditional DNS protocol that prevents eavesdropping and man-in-the-middle attacks by encrypting queries and responses. However, it introduces new challenges such as encrypted traffic communication, masking malicious activity, tunneling attacks, and...

Full description

Saved in:
Bibliographic Details
Main Authors: Hardi Sabah Talabani, Zrar Khalid Abdul, Hardi Mohammed Mohammed Saleh
Format: Article
Language:English
Published: MDPI AG 2025-05-01
Series:Future Internet
Subjects:
intrusion detection system
DNS over HTTPS
ant colony optimization
feature selection
dimensionality reduction
machine learning
Online Access:https://www.mdpi.com/1999-5903/17/5/211
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:DNS over HTTPS (DoH) is an advanced version of the traditional DNS protocol that prevents eavesdropping and man-in-the-middle attacks by encrypting queries and responses. However, it introduces new challenges such as encrypted traffic communication, masking malicious activity, tunneling attacks, and complicating intrusion detection system (IDS) packet inspection. In contrast, unencrypted packets in the traditional Non-DoH version remain vulnerable to eavesdropping, privacy breaches, and spoofing. To address these challenges, an optimized dual-path feature selection approach is designed to select the most efficient packet features for binary class (DoH-Normal, DoH-Malicious) and multiclass (Non-DoH, DoH-Normal, DoH-Malicious) classification. Ant Colony Optimization (ACO) is integrated with machine learning algorithms such as XGBoost, K-Nearest Neighbors (KNN), Random Forest (RF), and Convolutional Neural Networks (CNNs) using CIRA-CIC-DoHBrw-2020 as the benchmark dataset. Experimental results show that the proposed model selects the most effective features for both scenarios, achieving the highest detection and outperforming previous studies in IDS. The highest accuracy obtained for binary and multiclass classifications was 0.9999 and 0.9955, respectively. The optimized feature set contributed significantly to reducing computational costs and processing time across all utilized classifiers. The results provide a robust, fast, and accurate solution to challenges associated with encrypted DNS packets.
ISSN:1999-5903

Similar Items