TGM: A fine-grained classification method for DoH tunneling tools based on Transformer-GRU-MLP

Youwen Li; Qin Liu; Lejun Shen; Tao Wang; Jiangtao Zhai; Guangjie Liu; Youwen Li; Qin Liu; Lejun Shen; Tao Wang; Jiangtao Zhai; Guangjie Liu

doi:10.3934/era.2026009

Electronic Research Archive

2026, Volume 34, Issue 1: 173-195. doi: 10.3934/era.2026009

Previous Article Next Article

Research article

TGM: A fine-grained classification method for DoH tunneling tools based on Transformer-GRU-MLP

1.
Nanjing SAC Rail Traffic Engineering CO., LTD., Nanjing 210032, China
2.
School of Electronics and Information Engineering, Nanjing University of Information Science and Technology, Nanjing 210044, China

Received: 18 August 2025 Revised: 26 November 2025 Accepted: 18 December 2025 Published: 07 January 2026

DNS-over-HTTPS (DoH) effectively improves domain name system (DNS) security by encapsulating DNS query and response content in HTTPS packets, and also provides an opportunity for DoH-based covert tunneling attacks. Aiming at the problems of poor feature representation ability and low classification accuracy in the classification research of existing DoH tunneling tools, a multi-modal fusion deep learning classification model of DoH tunneling tools based on transformer-gated unit recurrent (GRU)-multilayer perceptron (MLP) (TGM) is proposed to help security personnel accurately locate specific threat types and take corresponding defensive measures. The model combines the spatial sequence feature extraction ability of the transformer encoder and the time sequence feature learning advantage of GRU to capture deep-level features between traffic generated by different DoH tunneling tools, and uses MLP to learn statistical features. Finally, we fuse the output embeddings of the three branches and learn the weights of different branch features through an attention mechanism. The experimental results show that our method achieves classification accuracy of 98.87% and F1-score of 98.02%, which are all better than the existing state-of-the-art methods.
- DNS-over-HTTPS,
- tunnel detection,
- deep learning,
- cyber security
Citation: Youwen Li, Qin Liu, Lejun Shen, Tao Wang, Jiangtao Zhai, Guangjie Liu. TGM: A fine-grained classification method for DoH tunneling tools based on Transformer-GRU-MLP[J]. Electronic Research Archive, 2026, 34(1): 173-195. doi: 10.3934/era.2026009

Related Papers:

Abstract

DNS-over-HTTPS (DoH) effectively improves domain name system (DNS) security by encapsulating DNS query and response content in HTTPS packets, and also provides an opportunity for DoH-based covert tunneling attacks. Aiming at the problems of poor feature representation ability and low classification accuracy in the classification research of existing DoH tunneling tools, a multi-modal fusion deep learning classification model of DoH tunneling tools based on transformer-gated unit recurrent (GRU)-multilayer perceptron (MLP) (TGM) is proposed to help security personnel accurately locate specific threat types and take corresponding defensive measures. The model combines the spatial sequence feature extraction ability of the transformer encoder and the time sequence feature learning advantage of GRU to capture deep-level features between traffic generated by different DoH tunneling tools, and uses MLP to learn statistical features. Finally, we fuse the output embeddings of the three branches and learn the weights of different branch features through an attention mechanism. The experimental results show that our method achieves classification accuracy of 98.87% and F1-score of 98.02%, which are all better than the existing state-of-the-art methods.

References

[1]	M. K. Bansal, M. Sethumadhavan, Survey on domain name system security problems-DNS and blockchain solutions, in Futuristic Trends in Networks and Computing Technologies. FTNCT 2019. Communications in Computer and Information Science (eds. P. Singh, S. Sood, Y. Kumar, M. Paprzycki, A. Pljonkin, W.C. Hong), Springer Singapore, 1206 (2020), 634–647. https://doi.org/10.1007/978-981-15-4451-4_50
[2]	L. Jiao, Y. Zhu, X. Fu, Y. Zhou, F. Qin, Q. Liu, CCSv6: A detection model for DNS-over-HTTPS tunnel using attention mechanism over IPv6, in 2023 IEEE Symposium on Computers and Communications (ISCC), (2023), 1327–1330, https://doi.org/10.1109/ISCC58397.2023.10218057
[3]	C. Dong, J. Yang, Y. Li, Y. Wu, Y. Chen, C. Li, et al., E-DoH: Elegantly detecting the depths of open DoH service on the internet, Cybersecurity, 8 (2025), 101. https://doi.org/10.1186/s42400-025-00390-5 doi: 10.1186/s42400-025-00390-5
[4]	N. Sharma, M. Swarnkar, DLAZE: Detecting DNS tunnels using lightweight and accurate method for zero-day exploits, IEEE Trans. Network Ser. Manage., 22 (2025), 2343–2353. https://doi.org/10.1109/TNSM.2025.3541234 doi: 10.1109/TNSM.2025.3541234
[5]	X. Liu, W. Mao, A. Wang, Z. Li, H. Xue, Y. Zhang, et al., DNS tunnel detection for low throughput data exfiltration via time-frequency domain analysis, in ICC 2023-IEEE International Conference on Communications, (2023), 2331–2337, https://doi.org/10.1109/ICC45041.2023.10279472
[6]	M. Dawood, S. Tu, C. Xiao, M. Haris, H. Alasmary, M. Waqas, et al., The impact of domain name server (DNS) over hypertext transfer protocol secure (HTTPS) on cyber security: Limitations, challenges, and detection techniques, Comput. Mater. Continua, 80 (2024), 4513–4542. https://doi.org/10.32604/cmc.2024.050049 doi: 10.32604/cmc.2024.050049
[7]	M. Zuo, C. Guo, H. Xu, Z. Zhang, Y. Cheng, METC: A hybrid deep learning framework for cross-network encrypted DNS over HTTPS traffic detection and tunnel identification, Inf. Fusion, 121 (2025), 103125. https://doi.org/10.1016/j.inffus.2025.103125 doi: 10.1016/j.inffus.2025.103125
[8]	J. Tong, Y. Zhao, C. Jin, W. Chen, Y. Zhang, L. Wu, An adaptive DoH encrypted tunnel detection method based on contrastive learning, IEEE Internet Things J., 12 (2025), 25936–25950. https://doi.org/10.1109/JIOT.2025.3561015 doi: 10.1109/JIOT.2025.3561015
[9]	M. Moure-Garrido, C. Campo, C. Garcia-Rubio, Real time detection of malicious DoH traffic using statistical analysis, Comput. Networks, 234 (2023), 109910. https://doi.org/10.1016/j.comnet.2023.109910 doi: 10.1016/j.comnet.2023.109910
[10]	S. Yadav, R. K. Patel, V. P. Singh, Bearing fault classification using TKEO statistical features and artificial intelligence, J. Intell. Fuzzy Syst., 45 (2023), 4147–4164. https://doi.org/10.3233/JIFS-224221 doi: 10.3233/JIFS-224221
[11]	M. MontazeriShatoori, L. Davidson, G. Kaur, A. H. Lashkari, Detection of DoH tunnels using time-series classification of encrypted traffic, in 2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), (2020), 63–70. https://doi.org/10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00026
[12]	J. Wu, Y. Zhu, B. Li, Q. Liu, B. Fang, Peek inside the encrypted world: Autoencoder-based detection of doh resolvers, in 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), (2021), 783–790. https://doi.org/10.1109/TrustCom53373.2021.00113
[13]	M. T. Jafar, Analysis and investigation of malicious DNS queries using CIRA-CIC-DoHBrw-2020 dataset, Manchester J. Artif. Intell. Appl. Sci., 2 (2021), 1–10.
[14]	T. Zebin, S. Rezvy, Y. Luo, An explainable AI-based intrusion detection system for DNS over HTTPS (DoH) attacks, IEEE Trans. Inf. Forensics Secur., 17 (2022), 2339–2349. https://doi.org/10.1109/TIFS.2022.3183390 doi: 10.1109/TIFS.2022.3183390
[15]	S. Mahdavifar, A. H. Salem, P. Victor, A. H. Razavi, M. Garzon, N. Hellberg, et al., Lightweight hybrid detection of data exfiltration using DNS based on machine learning, in Proceedings of the 2021 11th International Conference on Communication and Network Security (ICCNS '21), (2022), 80–86. https://doi.org/10.1145/3507509.3507520
[16]	X. Liu, J. You, Y. Wu, T. Li, L. Li, Z. Zhang, et al., Attention-based bidirectional GRU networks for efficient HTTPS traffic classification, Inf. Sci., 541 (2020), 297–315. https://doi.org/10.1016/j.ins.2020.05.035 doi: 10.1016/j.ins.2020.05.035
[17]	Y. Wang, C. Shen, D. Hou, X. Xiong, Y. Li, FF-MR: A DoH-encrypted DNS covert channel detection method based on feature fusion, Appl. Sci., 12 (2022), 12644. https://doi.org/10.3390/app122412644 doi: 10.3390/app122412644
[18]	L. F. Gonzalez Casanova, P. C. Lin, Generalized classification of DNS over HTTPS traffic with deep learning, in 2021 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), (2021), 1903–1907.
[19]	E. Guillen, B. Uguen, C. Moy, J. Le Masson, Temporal analysis of LoRaWAN data packets: Unveiling patterns for improving secure-oriented IoT designs, in 2024 20th International Conference on Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT), (2024), 532–539. https://doi.org/10.1109/DCOSS-IoT61029.2024.00084
[20]	X. Liu, Y. Zhang, X. Yang, W. Gai, B. Sun, Mfc-doh: DoH tunnel detection based on the fusion of maml and F-CNN, in Proceedings of the 21st ACM International Conference on Computing Frontiers (CF '24), (2024), 267–275. https://doi.org/10.1145/3649153.3649207
[21]	H. Li, D. Pimentel-Alarcón, Deep fusion: Capturing dependencies in contrastive learning via transformer projection heads, preprint, arXiv: 2403.18681. https://doi.org/10.48550/arXiv.2403.18681
[22]	R. Mitsuhashi, Y. Jin, K. Iida, T. Shinagawa, Y. Takai, Malicious DNS tunnel tool recognition using persistent DoH traffic analysis, IEEE Trans. Network Ser. Manage., 20 (2023), 2086–2095. https://doi.org/10.1109/TNSM.2022.3215681 doi: 10.1109/TNSM.2022.3215681
[23]	D. Li, D. Sun, C. Zeng, Research on abnormal network traffic detection based on 1D-CNN, in 2021 International Conference on Neural Networks, Information and Communication Engineering, 11933 (2021), 138–145. https://doi.org/10.1117/12.2615167
[24]	K. J. Pradeep, P. Mishra, Detection and prevention of DDoS attack packets on the distributed network using Bi-LSTM network, Webology, 19 (2022), 1–12.
[25]	R. Liu, Y. Ma, X. Gao, L. Zhang, Real-time traffic intrusion detection based on CNN-LSTM deep neural networks, in International Conference on Computer Network Security and Software Engineering (CNSSE 2024), 13175 (2024), 82–89. https://doi.org/10.1117/12.3031914
[26]	R. Alenezi, S. A. Ludwig, Classifying DNS tunneling tools for malicious DoH traffic, in 2021 IEEE Symposium Series on Computational Intelligence (SSCI), (2021), 1–9. https://doi.org/10.1109/SSCI50451.2021.9660136
[27]	R. Mitsuhashi, A. Satoh, Y. Jin, K. Iida, T. Shinagawa, Y. Takai, Identifying malicious DNS tunnel tools from DoH traffic using hierarchical machine learning classification, in Information Security. ISC 2021. Lecture Notes in Computer Science (eds. J.K. Liu, S. Katsikas, W. Meng, W. Susilo, R. Intan), Springer, Cham, 13118 (2021), 245–260. https://doi.org/10.1007/978-3-030-91356-4_13
[28]	J. Liang, S. Wang, S. Zhao, S. Chen, FECC: DNS tunnel detection model based on CNN and clustering, Comput. Secur., 128 (2023), 103132. https://doi.org/10.1016/j.cose.2023.103132 doi: 10.1016/j.cose.2023.103132

Reader Comments

Your name:*

Email:*
© 2026 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)