US Patent 11606385 Behavioral DNS tunneling identification

Methods, apparatus and computer software products for protecting a computing system implement embodiments of the present invention that include extracting, from data traffic transmitted over a data network connecting a plurality of computing devices to multiple Internet hosting services, respective sets of transmissions from the computing devices to the Internet hosting services, and identifying, in a given set of the transmissions from a given computing device, multiple domain name system (DNS) requests for an identical second-level domain (2LD) and for different respective sub-domains within the 2LD. A number of the different sub-domains within the 2LD and a data size of the multiple DNS requests are computed, and when the number of the different sub-domains and the data size of the multiple DNS requests exceed a predefined criterion, a preventive action is initiated to inhibit DNS tunneling from at least the given computing device.