A New Approach To Stop Breaches

Protect your digital empire using our solutions built with AI


Transforming DNS security with the intelligence of AI and the adaptability of ML.

DNS tunneling is a method that allows attackers to exploit the DNS protocol to bypass security controls and exfiltrate data or establish command and control (C2) channels. Since DNS is often allowed through firewalls and is a trusted protocol, it is an attractive technique for attackers to bypass security measures and extract sensitive data. To detect these threats accurately and quickly, TCPWave has designed a detection approach based on a Convolutional Neural Network (CNN) with minimal architecture complexity. The lack of quality datasets for evaluating DNS Tunneling connections prompted us to construct a novel dataset containing DNS Tunneling domains generated with many well-known DNS tools. Despite its simple architecture, the resulting CNN model correctly detected more than 98% of total Tunneling domains with a false positive rate in decimals. The ever-increasing rate of cyber threats has made it critical for organizations to safeguard their networks and sensitive data as DNS exfiltration is just one method attackers use to exploit vulnerabilities in the DNS protocol, causing financial and reputational damage. Ransomware attacks have caused significant financial losses to organizations in recent years, and it is predicted that the cost of such attacks will reach $40 billion by 2024.

A recent study found that most ransomware attacks, specifically 76%, were executed outside of regular working hours. The same study discovered that 45% of the attacks started through email, phishing, and business email compromise. The remaining 21% of attacks were aimed at remote servers, with other methods such as third-party contractors, misconfigured cloud instances, remote desktop protocol, and USB media also being used. Ransomware is usually extorted in bitcoins to avoid being traced by law enforcement. TCPWave, an organization, provides a range of features such as a powerful AI algorithm, strong security policies, proper enforcement of data protection, and many best practices to protect from ransomware. The dark web is a hidden section of the internet that necessitates specialized software or configurations to access, which is often associated with illicit activities such as drug sales, weapons trading, and cybercrime. It can be used for legitimate purposes such as whistleblowing and anonymous communication, but its anonymity can make it a haven for criminals. As a result, individuals should be mindful of the potential dangers and exercise caution when using it.


  • TCPWave stops Iodine-based tunnels by examining the encoded traffic. Iodine works by encapsulating the data in DNS queries and responses, making it look like normal DNS traffic.


  • Dns2tcp is a DNS tunneling tool that allows TCP traffic to be encapsulated in DNS queries and responses. It can be used to bypass DNS firewalls and other network security measures. TCPWave detects and prevents this traffic.


  • Dnscat2 is a command, and control (C&C) tool that allows remote control of compromised machines through DNS queries and responses. TCPWave detects and prevents this traffic.


  • OzymanDNS is a DNS tunneling library that can be used to create custom DNS tunneling tools. It provides a flexible framework for encapsulating data in DNS requests and responses. TCPWave detects and prevents this traffic

TCPWave's DNS Titan solution utilizes advanced AI/ML technology to detect and prevent cyber threats. With its state-of-the-art machine learning algorithms trained on massive and varied DNS data, it accurately identifies and mitigates potential security threats. Additionally, the solution uses signature-based anomaly detection using Suricata to efficiently detect malicious activity on the network. TCPWave's DNS Titan solution is designed to listen to and analyze DNS queries to detect potential malicious activity. It includes functions for preprocessing data, calculating entropy, and processing queries, as well as a main function that sets up the required models and starts the packet sniffing process. TCPWave uses Zeek to perform intrusion detection and allows for uploading a whitelist and blacklist from user input into the TCPWave NSM templates. The stateful firewall intercepts malware at a much lower level of the OSI stack, making it difficult for attackers to penetrate the network. TCPWave's DNS Titan solution is a cutting-edge, AI/ML-based infrastructure tracer and analyzer that offers a comprehensive solution for all DNS security needs. With its advanced machine learning algorithms, Titan provides DNS Tunnel Detection, a crucial feature that enables the detection of malicious DNS traffic flowing through the digital network in your organization.

DNS Titan's advanced AI/ML technology allows it to detect DNS tunneling, a popular technique used by attackers to bypass traditional security measures. The system uses machine learning algorithms trained on massive and varied DNS data to identify malicious traffic flowing through DNS pathways within the organization. This feature enables administrators to prevent data breaches and protect their organizations from cyber threats. Supervised learning is at the heart of DNS Titan's machine-learning capabilities. This learning task involves mapping inputs to outputs based on labeled training data consisting of pairs of input objects and desired output values. Titan produces an inferred function that can accurately map new examples by analyzing this data. This function is optimized to determine class labels for unseen instances and generalize from the training data to new situations.


In conclusion, TCPWave offers robust protection against DNS tunneling attacks with its advanced algorithm powered by AI, robust security policies, and proper enforcement of data protection. Its seamless monitoring and expedited incident response capabilities help organizations quickly detect and respond to any malicious activity. By securing DNS with many best practices, TCPWave ensures that enterprises are safeguarded against the exploitation of the DNS protocol for data exfiltration or command and control channels. With these comprehensive security measures in place, organizations can be confident in their ability to mitigate the risks associated with DNS tunneling and protect their sensitive data from cybercriminals.

Featured Resources

TCPWave DDI - XGBoost Model

TCPWave's DNS TITAN is upgraded with the state-of-the-art ML model - XGBoost with improved accuracy and performance. Learn how to detect and mitigate the DNS anomalies with the TCPWave's ML model - XGBoost.

TCPWave DDI - DNS Blackhole ACL

The use of ACLs is one of the network security practices that can protect the organization's network. Learn more about auto-blocking malicious traffic using the DNS Blackhole ACL mechanism in the TCPWave application.

TCPWave DDI - Atlantis Model

Learn more about TCPWave's DNS TITAN Atlantis, our first-ever Deep Learning model based on cutting-edge research that detects and mitigates the DNS anomalies.