Data exfiltration over the DNS protocol and its detection have been researched extensively in recent years. Prior studies focused on offline detection methods, which although capable of detecting attacks, allow a large amount of data to be exfiltrated before the attack is detected and dealt with. In this paper, we introduce Information-based Heavy Hitters (ibHH), a real-time detection method which is based on live estimations of the amount of information transmitted to registered domains. ibHH uses constant-size memory and supports constant-time queries, which makes it suitable for deployment on recursive DNS servers to further reduce detection and response time. In our evaluation, we compared the performance of the proposed method to that of leading state-of-the-art DNS exfiltration detection methods on real-world datasets comprising over 250 billion DNS queries. The evaluation demonstrates ibHH's ability to successfully detect exfiltration rates as slow as 0.7B/s, with a false positive alert rate of less than 0.004, with significantly lower resource consumption compared to other methods.

翻译：DNS协议上的数据泄露及其检测方法近年来得到了广泛研究。以往研究主要侧重于离线检测方法，虽然能够检测攻击，但在攻击被发现并处理前，大量数据已经泄露。本文提出了一种基于信息的重型攻击检测方法（ibHH），这是一种基于实时估算传输至注册域信息量的检测方法。ibHH采用恒定大小的内存，支持常数时间查询，适用于部署在递归DNS服务器上，从而进一步缩短检测与响应时间。在评估中，我们将所提方法与当前最先进的DNS数据泄露检测方法在包含超过2500亿次DNS查询的真实数据集上进行了性能对比。评估结果表明，ibHH能够成功检测到低至0.7B/s的泄露速率，误报率低于0.004，且与其他方法相比，资源消耗显著降低。