As more devices connect to the internet, it becomes crucial to address their limitations and basic security needs. While much research focuses on utilizing ML and DL to tackle security challenges, there is often a tendency to overlook the practicality and feasibility of implementing these methods in real-time settings. This oversight stems from the constrained processing power and memory of certain devices (IoT devices), as well as concerns about the generalizability of these approaches. Focusing on the detection of DNS-tunneling attacks in a router as a case study, we present an end-to-end process designed to effectively address these challenges. The process spans from developing a lightweight DNS-tunneling detection model to integrating it into a resource-constrained device for real-time detection. Through our experiments, we demonstrate that utilizing stateless features for training the ML model, along with features chosen to be independent of the network configuration, leads to highly accurate results. The deployment of this carefully crafted model, optimized for embedded devices across diverse environments, resulted in high DNS-tunneling attack detection with minimal latency. With this work, we aim to encourage solutions that strike a balance between theoretical advancements and the practical applicability of ML approaches in the ever-evolving landscape of device security.

翻译：随着越来越多的设备接入互联网，解决其局限性与基础安全需求变得至关重要。尽管大量研究聚焦于利用机器学习和深度学习应对安全挑战，但往往忽视了在实时场景中部署这些方法的实用性与可行性。这一疏漏源于某些设备（如物联网设备）有限的处理能力与内存，以及对这些方法泛化能力的担忧。本文以路由器中DNS隧道攻击检测为案例，提出一套端到端流程以有效应对上述挑战。该流程涵盖从开发轻量级DNS隧道检测模型到将其集成至资源受限设备实现实时检测的完整环节。实验表明：采用无状态特征（Stateless Features）训练机器学习模型，并选取与网络配置无关的特征，可取得高度精确的结果。经精心设计并针对跨环境嵌入式设备优化后，部署该模型能以极低延迟实现高精度的DNS隧道攻击检测。本研究旨在推动设备安全领域在理论进展与机器学习方法实际应用之间寻求平衡的解决方案。