Patent attributes
Systems and methods for detecting data exfiltration using domain name system (DNS) queries include, in various embodiments, performing operations that include parsing a DNS query to determine whether that DNS query is likely to contain hidden data that is being exfiltrated from a system or network. Statistical methods can be used to analyze the DNS query to determine a likelihood whether each of a plurality of segments of the DNS query are indicative of data exfiltration methods. If one or multiple DNS queries are deemed suspicious based on the analysis, a security action on the DNS query can be performed, including sending an alert and/or blocking the DNS query from being forwarded.