An Explainable AI-based Intrusion Detection System for DNS over HTTPS
(DoH) Attacks
Abstract
Over the past few years, Domain Name Service (DNS) remained a prime
target for hackers as it enables them to gain first entry into networks
and gain access to data for exfiltration. Although the DNS over HTTPS
(DoH) protocol has desirable properties for internet users such as
privacy and security, it also causes a problem in that network
administrators are prevented from detecting suspicious network traffic
generated by malware and malicious tools. To support their efforts in
maintaining a secure network, in this paper, we have implemented an
explainable AI solution using a novel machine learning framework. We
have used the publicly available CIRA-CIC-DoHBrw-2020 dataset for
developing an accurate solution to detect and classify the DNS over
HTTPS attacks. Our proposed balanced and stacked Random Forest achieved
very high precision (99.91\%), recall
(99.92\%) and F1 score (99.91\%) for the
classification task at hand. Using explainable AI methods, we have
additionally highlighted the underlying feature contributions in an
attempt to provide transparent and explainable results from the model.