Author 1:
First Name: Emanuel
Last Name: Valente
Organization: iFood - Cybersecurity Team
Email: emanuel.valente@ifood.com.br
Twitter Handle: @emanu_valente
Blog: https://blog.ifoodsecurity.com/
Linkedin: https://www.linkedin.com/in/emanuelvalente/

Speaker Bio: Emanuel Valente is the principal cybersecurity engineer at iFood, the largest food tech company in Latin America, where he technically leads the security engineering team dedicated to designing and implementing advanced cybersecurity solutions. With over ten years of experience, Emanuel specializes in various security disciplines, including cloud and edge security, runtime security, and AI security. He brings a solid foundation in mathematics, statistics, and computer science to his work. Emanuel is pursuing a Master's in Cyber Security at the University of São Paulo. He has studied under the Fulbright Scholarship at the University of Arizona and the University of Florida, focusing on malware analysis. Additionally, Emanuel actively contributes to the OWASP Top 10 for LLM Apps. Committed to advancing cybersecurity technology, he shares his expertise through speaking engagements and research collaborations.

This presentation will dive into attacking ML DoH tunnel detection models using adversarial attack techniques for evasion. The key discussion points are as follows:

1 DNS tunnels
In this section, we will discuss the evolution of DNS. We will explain why DNS over HTTPS (DoH) was conceived, what motivations drove it, and why vulnerabilities from its predecessor tried to mitigate them. Next, we will demonstrate how attackers can leverage DNS and DoH to create tunnels, which are covert channels for communication that bypass traditional network security measures. These tunnels can be used to exfiltrate information or as C&C (Command and Control) communication channels for malicious activities. Additionally, we will highlight the most popular tools for creating these tunnels using DoH.

2 DoH Tunnel Detection Models
This section will discuss the primary datasets the scientific community uses to create ML models for detecting DoH tunnels. We will highlight how to extract features from DoH requests and which are the most used. We will also address the gaps and bad practices in these datasets that lead to developing vulnerable models. Additionally, we will show the best practices for building DoH tunnel detection models, such as choosing the best algorithms, implementing robust feature engineering techniques, and selecting the most relevant features for the model.

3 Adversarial Attacks
This section will introduce adversarial attacks, a type of attack that aims to deceive or mislead a machine learning model by providing it with maliciously crafted input data. We will explain how 'white' and 'black' attacks on ML models are executed and how they differ. Furthermore, we will explain how to adapt 'black-box attacks, a type of adversarial attack where the attacker does not know the internal workings of the model, to target DoH tunnel detection models and similar models.

4 Attacking (DEMOs)
This section will present demos covering the following scenarios: First, we will demonstrate how basic black-box attacks work for attacking DoH tunnel detection models. Next, we will show a demo using previous attacks, but this time, we will incorporate real-world inputs from DoH tunnel detection tools, constraining the attack algorithm. We will also identify vulnerable features within the dataset that attackers can exploit to bypass the DoH tunnel detection models. Additionally, we will release a patched open-source tool, dnstt, to consider all considered scenarios.
Note: The demonstrations will be conducted live, but we will have pre-recorded videos to ensure continuity in case of any issues.

5 Defending
This section will explain how to defend against the attacks presented earlier and demonstrate 'good practices and techniques' for protecting against them. We will also show how to build a robust model trained with adversarial attack samples generated from previous attacks, which can help improve the model's resilience to future attacks.

6 Next Steps
In the final section, we will outline the future steps in our research and discuss the remaining gaps. We warmly invite new contributors to join our research efforts, as your insights and expertise can significantly advance our understanding in this field.
Links:

• Experiments (Attacking DoH tunnel detection models): https://drive.google.com/drive/folders/1XJnemvBNs9wAW1LHWfT2ZVZnzbSyqx-z?usp=sharing

• Black Box Attack: Zero Order Optimization Attack, constrained to support real doh tunnel tools inputs: https://drive.google.com/drive/folders/1_1tK9YfqtUVxSaVjsQHMpKhFrgmX_eAT?usp=sharing

• Dnstt patch (ongoing): You can now run it separately (dnstt + patch). The provided code does exactly that: https://drive.google.com/drive/folders/1qkhwAXBCy0wWasGH4RsTs06WcJqiTehE?usp=sharing

Takeaways: Participants will leave with a thorough understanding of the development and exploration of security-focused ML models, particularly those designed to detect DoH tunnels. Additionally, attendees will gain insights into the mechanics of adversarial attacks and learn practical techniques for assessing and enhancing the robustness of any ML model.

Intended Audience: This presentation is intended for cybersecurity professionals, machine learning researchers, network administrators, and anyone involved in the development and maintenance of network intrusion detection systems. It is also suitable for academic attendees, such as students and faculty, interested in the intersection of machine learning and cybersecurity. Additionally, security analysts and engineers looking to understand and mitigate vulnerabilities in ML-based systems would greatly benefit from this talk.

Talk Outline:
Introduction - 3 Minutes
- Who am I?
- Why am I here?

DNS Tunnels - 5 min
- DNS vs DoH
- DNS Tunnels
- DoH Tunnels
- Tunnel tools

DoH Tunnel detection models - 5min
- DoH Datasets:
- DoH Tunnel Detection ML models

Adversarial attacks - 5min
- Intro
- White Box Attacks
- Black Box Attacks
- Adapting Black Box Attacking for DoH Detection Models

Attacking (DEMOs) 15 minutes
- Attacking DoH Tunnel Detection models (DEMO)
- Constraining Black Box Attacking (real-world scenario) (DEMO)
- Identifying Dangerous Features (leveraging vulnerable features)
- Evading state-of-the-art models by leveraging vulnerable features (DEMO + tool)

Defending - 5 minutes
- Defending techniques
- Robust Models

End: Conclusions, next steps, how to contribute, questions - 7 minutes
- Conclusions
- Future work
- Where people can find more information
- Open for contributors
- Questions

Special Requirements:
- Internet
- Ability to project slides