Hybrid Temporal–Ensemble Learning for Adaptive Detection of Adversarial DNS Tunnels

Abstract

The rapid proliferation of networked systems has heightened the exploitation of the Domain Name System (DNS) as a covert channel for data exfiltration, rendering DNS tunneling a significant cybersecurity threat. Conventional signature-based and rule-driven detection methods often fail to identify adversarial and low-rate tunneling traffic due to evolving attack patterns and obfuscation techniques. To mitigate these challenges, a hybrid neural network–based detection framework is developed, integrating machine learning classifiers with LSTM-based temporal modeling. Experiments utilize a publicly available Adversarial Machine Learning Dataset from Kaggle, encompassing multiple DNS traffic classes characterized by statistical and behavioral features. The dataset undergoes preprocessing, including null value removal, duplicate elimination, label encoding, SMOTE-based resampling, and feature normalization using StandardScaler. High-performance classifiers, particularly Gradient Boosting, XGBoost, and stacking ensembles, are employed and integrated with LSTM predictions. The stacking model achieved superior results, attaining an accuracy of 92.7% and a ROC-AUC of 0.986. Additionally, a Flask-based web interface is implemented to facilitate user interaction, allowing secure registration, login, input of DNS feature values, and real-time predictions. The framework effectively detects adversarial DNS tunneling while providing interpretability and robust network protection