Real-Time Detection of Encrypted DGA and DNS Tunneling Using DPDK on SmartNICs

Author(s)

• Sergio Elizalde
• Ali AlSabeh
• Samia Choueiri
• Elie Kfoury, University of South CarolinaFollow
• Jorge Crichigno, University of South CarolinaFollow

Description

• Encrypted Domain Name System (DNS) protocols such as DNS over HTTPS (DoH) enhance user privacy by preventing eavesdropping.

• However, they also enable attackers to conceal Command-and-Control (C2) communication and data exfiltration within HTTPS traffic.

• We propose a real-time detection framework deployed on the NVIDIA BlueField-3 Smart Network Interface Card (SmartNIC).

• Feature extraction and Machine Learning (ML) inference are offloaded to the SmartNIC, reducing host CPU intervention.

• A Multilayer Perceptron (MLP) classifier categorizes traffic into benign DoH, Non-DoH, DoH tunnel and Domain-Generated Algorithm (DGA).

• The MLP architecture is chosen for its suitability for parallel execution. • The model operates on bidirectional flow-level statistical features.

• These features are derived from packet sizes, timing behavior, and traffic pattern characteristics.

• To improve robustness against evolving threats, we extend public DGA datasets with additional DoH-encapsulated samples.

• ML performance is evaluated using classification accuracy and SHAP-based explainability analysis.

• System performance is evaluated in terms of per-packet processing latency and throughput scalability as the number of cores increases.

Publication Info

2026.

© 2026, Sergio Elizalde, Ali AlSabeh, Samia Choueiri, Elie Kfoury, & Jorge Crichigno