Behavior analysis based DNS tunneling detection and classification framework for network security

What is claimed is: 1. A system for an online platform for implementing a behavior analysis based DNS tunneling detection and classification framework for network security, comprising: a processor configured to: receive a Domain Name Server (DNS) data stream; process the DNS data stream to identify DNS tunneling activity based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, comprising to: perform the following DNS feature extractions to be input into the behavioral analysis model: perform at least one of the following:  determine entropy of a text string in the DNS data stream based on a distribution of a character set within the text; string; or  determine a lexical feature based on human readable characters and non-human readable characters within a text string, wherein the human readable characters include alphabet characters; and determine a value in a percentile of an N-gram score distribution from a text string in the DNS data stream, wherein the percentile is determined based on a character set within a text string, and wherein N is an integer greater than or equal to 2; and perform a mitigation action based on the identified DNS tunneling activity; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system recited in claim 1 , wherein the DNS data stream includes DNS query and DNS response data. 3. The system recited in claim 1 , wherein a network domain is determined to be a bad network domain based on an association with the identified DNS tunneling activity, and wherein the bad network domain is associated with a Fully Qualified Domain Name (FQDN). 4. The system recited in claim 1 , wherein a network domain is determined to be a bad network domain based on an association with the identified DNS tunneling activity, and wherein the processor is further configured to: determine a host is infected based on detecting a DNS query request to the bad network domain from the host. 5. The system recited in claim 1 , wherein a network domain is determined to be a bad network domain based on an association with the identified DNS tunneling activity, and wherein the processor is further configured to: determine a host is infected based on detecting a DNS query request to the bad network domain from the host; and perform another mitigation action based on the determined infected host. 6. The system recited in claim 1 , wherein a network domain is determined to be a bad network domain based on an association with the identified DNS tunneling activity, and wherein the mitigation action includes one or more of the following: generate a firewall rule based on the bad network domain; configure a network device to block network communications with the bad network domain; quarantine an infected host, wherein the infected host is determined to be infected based on an association with the bad network domain; and add the bad network domain to a reputation feed. 7. The system recited in claim 1 , wherein a network domain is determined to be a bad network domain based on an association with the identified DNS tunneling activity, and wherein the processor is further configured to: identify a source IP address, a source host, or an attempt to query the bad network domain. 8. The system recited in claim 1 , wherein the processor is further configured to: store the time series collection of passive DNS traffic data in an observation cache. 9. The system recited in claim 1 , wherein the processor is further configured to: receive DNS data that is collected from an agent executed on a DNS appliance. 10. The system recited in claim 1 , wherein the processor is further configured to: extract a plurality of features from the DNS data stream to detect DNS tunneling based on the extracted plurality of features. 11. A method of an online platform for implementing a behavior analysis based DNS tunneling detection and classification framework for network security, comprising: receiving a Domain Name Server (DNS) data stream; processing the DNS data stream using a processor to identify DNS tunneling activity based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, comprising: performing the following DNS feature extractions to be input into the behavioral analysis model: performing at least one of the following: determining entropy of a text string in the DNS data stream based on a distribution of a character set within the text string; or determining a lexical feature based on human readable characters and non-human readable characters within a text string, wherein the human readable characters include alphabet characters; and determining a value in a percentile of an N-gram score distribution from a text string in the DNS data stream, wherein the percentile is determined based on a character set within a text string, and wherein N is an integer greater than or equal to 2; and performing a mitigation action based on the identified DNS tunneling activity. 12. The method of claim 11 , wherein the DNS data stream includes DNS query and DNS response data. 13. The method of claim 11 , wherein a network domain is determined to be a bad network domain based on an association with the identified DNS tunneling activity, and wherein the bad network domain is associated with a Fully Qualified Domain Name (FQDN). 14. The method of claim 11 , wherein a network domain is determined to be a bad network domain based on an association with the identified DNS tunneling activity, and further comprising: determining a host is infected based on detecting a DNS query request to the bad network domain from the host. 15. The method of claim 11 , wherein a network domain is determined to be a bad network domain based on an association with the identified DNS tunneling activity, and further comprising: determining a host is infected based on detecting a DNS query request to the bad network domain from the host; and performing another mitigation action based on the determined infected host. 16. A computer program product for an online platform for implementing a behavior analysis based DNS tunneling detection and classification framework for network security, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for: receiving a Domain Name Server (DNS) data stream; processing the DNS data stream to identify DNS tunneling activity based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, comprising: performing the following DNS feature extractions to be input into the behavioral analysis model: performing at least one of the following: determining entropy of a text string in the DNS data stream based on a distribution of a character set within the text string; or determining a lexical feature based on human readable characters and non-human readable characters within a text string, wherein the human readable characters include alphabet characters; and determining a value in a percentile of an N-gram score distribution from a text string in the DNS data stream, wherein the percentile is determined based on a character set within a text string, wherein the N-gram score distribution is determined based on historical publications, and wherein N is an integer greater than or equal to 2; and performing a mitigation action based on the identified DNS tunneling activity. 17. The computer program pro