From Graphs to Gates: DNS-HyXNet, A Lightweight and Deployable Sequential Model for Real-Time DNS Tunnel Detection

TL;DR

The paper tackles DNS tunnel detection by addressing the inefficiencies of graph-based methods for real-time use. It introduces DNS-HyXNet, a lightweight two-layer xLSTM that fuses tokenized domain labels with numeric DNS features to enable single-pass, graph-free multi-class detection. On public benchmarks, the method achieves near-perfect accuracy with sub-millisecond per-sample latency, demonstrating strong performance without graph construction. The work shows that temporal sequence modeling can rival graph-based robustness while enabling deployable, energy-efficient real-time defense on commodity hardware.

Abstract

Domain Name System (DNS) tunneling remains a covert channel for data exfiltration and command-and-control communication. Although graph-based methods such as GraphTunnel achieve strong accuracy, they introduce significant latency and computational overhead due to recursive parsing and graph construction, limiting their suitability for real-time deployment. This work presents DNS-HyXNet, a lightweight extended Long Short-Term Memory (xLSTM) hybrid framework designed for efficient sequence-based DNS tunnel detection. DNS-HyXNet integrates tokenized domain embeddings with normalized numerical DNS features and processes them through a two-layer xLSTM network that directly learns temporal dependencies from packet sequences, eliminating the need for graph reconstruction and enabling single-stage multi-class classification. The model was trained and evaluated on two public benchmark datasets with carefully tuned hyperparameters to ensure low memory consumption and fast inference. Across all experimental splits of the DNS-Tunnel-Datasets, DNS-HyXNet achieved up to 99.99% accuracy, with macro-averaged precision, recall, and F1-scores exceeding 99.96%, and demonstrated a per-sample detection latency of just 0.041 ms, confirming its scalability and real-time readiness. These results show that sequential modeling with xLSTM can effectively replace computationally expensive recursive graph generation, offering a deployable and energy-efficient alternative for real-time DNS tunnel detection on commodity hardware.

Figures (6)

• Figure 1: Hybrid xLSTM pipeline and operational integration. Raw DNS telemetry from corporate networks (server logs, packet captures, or syslog) is parsed once and converted into compact windowed sequences. The preprocessing layer performs normalization and bounded hash-bucket tokenization, producing numeric and categorical embeddings that feed into two stacked xLSTM blocks. Each block uses exponential forget gating to capture fine-grained temporal dependencies. The final dense-softmax head provides a single-stage multi-class decision across benign, wildcard, and tunneling tools. The red arrow at the bottom right indicates the attack flow, showing the adversary's attempt to communicate or exfiltrate data through the DNS channel. The model integrates directly with SOC monitoring and policy enforcement systems for real-time blocking or alerting of DNS-based exfiltration attempts.
• Figure 2: Overall visualization of dataset characteristics in the DNS-Tunnel-Datasets.
• Figure 3: Distribution of frame.len values across DNS traffic classes. Tunnel traffic exhibits greater length variability compared to normal DNS queries.
• Figure 4: Row-normalized confusion matrix for the DNS-Tunnel-Datasets (60 - 20 - 20 split). Off-diagonal elements are negligible.
• Figure 5: Overall performance of DNS-HyXNet on the CIC-Bell-DNS-EXF-2021 dataset. Subfigure \ref{['fig:cm_cic']} shows the row-normalized confusion matrix, while Subfigure \ref{['fig:cicbars']} highlights that both classes achieve precision, recall, and F1-scores above 99.3%.