IDEAS home Printed from https://ideas.repec.org/a/gam/jmathe/v11y2023i10p2372-d1151338.html
   My bibliography  Save this article

XTS: A Hybrid Framework to Detect DNS-Over-HTTPS Tunnels Based on XGBoost and Cooperative Game Theory

Author

Listed:
  • Mungwarakarama Irénée

    (School of Computer Science and Engineering, Xi’an University, Xi’an 710071, China
    Computing and Information Science, University of Lay Adventists of Kigali, Kigali 6392, Rwanda)

  • Yichuan Wang

    (School of Computer Science and Engineering, Xi’an University, Xi’an 710071, China)

  • Xinhong Hei

    (School of Computer Science and Engineering, Xi’an University, Xi’an 710071, China)

  • Xin Song

    (School of Computer Science and Engineering, Xi’an University, Xi’an 710071, China)

  • Jean Claude Turiho

    (Computing and Information Science, University of Lay Adventists of Kigali, Kigali 6392, Rwanda)

  • Enan Muhire Nyesheja

    (Computing and Information Science, University of Lay Adventists of Kigali, Kigali 6392, Rwanda)

Abstract

This paper proposes a hybrid approach called XTS that uses a combination of techniques to analyze highly imbalanced data with minimum features. XTS combines cost-sensitive XGBoost, a game theory-based model explainer called TreeSHAP, and a newly developed algorithm known as Sequential Forward Evaluation algorithm (SFE). The general aim of XTS is to reduce the number of features required to learn a particular dataset. It assumes that low-dimensional representation of data can improve computational efficiency and model interpretability whilst retaining a strong prediction performance. The efficiency of XTS was tested on a public dataset, and the results showed that by reducing the number of features from 33 to less than five, the proposed model achieved over 99.9% prediction efficiency. XTS was also found to outperform other benchmarked models and existing proof-of-concept solutions in the literature. The dataset contained data related to DNS-over-HTTPS (DoH) tunnels. The top predictors for DoH classification and characterization were identified using interactive SHAP plots, which included destination IP, packet length mode, and source IP. XTS offered a promising approach to improve the efficiency of the detection and analysis of DoH tunnels while maintaining accuracy, which can have important implications for behavioral network intrusion detection systems.

Suggested Citation

  • Mungwarakarama Irénée & Yichuan Wang & Xinhong Hei & Xin Song & Jean Claude Turiho & Enan Muhire Nyesheja, 2023. "XTS: A Hybrid Framework to Detect DNS-Over-HTTPS Tunnels Based on XGBoost and Cooperative Game Theory," Mathematics, MDPI, vol. 11(10), pages 1-29, May.
  • Handle: RePEc:gam:jmathe:v:11:y:2023:i:10:p:2372-:d:1151338
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/2227-7390/11/10/2372/pdf
    Download Restriction: no

    File URL: https://www.mdpi.com/2227-7390/11/10/2372/
    Download Restriction: no
    ---><---

    More about this item

    Keywords

    DNS tunneling; DoH-based C2 covert channels; XGBoost; cooperative game theory; SHAP values; feature importance analysis; dimensionality reduction; imbalanced data; XAI;
    All these keywords.

    JEL classification:

    • C2 - Mathematical and Quantitative Methods - - Single Equation Models; Single Variables

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jmathe:v:11:y:2023:i:10:p:2372-:d:1151338. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.