DNS and ICMP Tunneling Detection on a Raspberry Pi

ISEF Category: Embedded Systems

Subcategory: Networking and Data Communications  ·  Difficulty: Advanced  ·  Setup: University Lab  ·  Time: Full Year

The Hook

Your home router already sees a lot. It can tell normal web traffic from weird traffic that tries to hide inside it. DNS tunneling and ICMP tunneling do exactly that. If you can spot them on a tiny device like a Raspberry Pi, you are working on a real network security problem.

What Is It?

This project asks you to detect covert channels, which are hidden paths for sending data inside normal-looking network traffic. DNS tunneling hides data inside domain name lookups. ICMP tunneling hides data inside ping-like packets. Think of it like slipping a note into a stack of birthday cards, then hoping no one notices the odd size, shape, or pattern.

You can treat each network flow like a short story made of features. A flow can include packet counts, timing, lengths, and direction changes. A small transformer model can read those feature sequences and look for patterns that simpler rules miss. The Raspberry Pi part makes the project feel real, because you are testing whether a small edge device can help a router flag suspicious traffic fast enough to matter.

Why This Is a Good Topic

This is a strong science fair topic because you can test clear classes, tune measurable features, and compare machine learning methods on public data. It connects to cybersecurity, home network safety, and edge computing, so the real-world value is easy to explain. You can also learn practical skills like data cleaning, feature engineering, model evaluation, and error analysis. That makes the project deeper than a simple yes-or-no detector.

Research Questions

• How does stream-feature selection affect detection accuracy for DNS tunneling and ICMP tunneling?
• What is the effect of using a small transformer instead of a simpler classifier on false positives?
• Does adding timing features improve classification of covert DNS traffic?
• To what extent can a Raspberry Pi run the detector with acceptable latency?
• Which packet-level features best separate normal traffic from tunneling traffic?
• How does model performance change when you train on one CIC-IDS dataset and test on another?

Basic Materials

• Raspberry Pi 4 or similar single-board computer.
• microSD card with operating system installed.
• Laptop or desktop computer for model training and analysis.
• Public CIC-IDS dataset files.
• Python installed on the analysis computer.
• Wi-Fi router or network simulator for deployment testing.
• Ethernet cable for stable network capture.
• External storage for dataset files and logs.

Advanced Materials

• Raspberry Pi 4 or similar single-board computer.
• Managed home router or router testbed with logging support.
• Linux workstation with enough RAM for model training.
• Network tap or mirrored switch port for packet capture.
• Public CIC-IDS datasets and any additional labeled traffic traces.
• USB Ethernet adapter for separate capture and forwarding paths.
• Power meter or USB power monitor for edge-device profiling.
• Packet capture hardware or software for high-fidelity traffic logging.

Software & Tools

• Python: Runs data cleaning, feature extraction, model training, and evaluation scripts.
• scikit-learn: Builds baseline classifiers and compares them against the transformer model.
• PyTorch: Trains the small transformer on sequence features.
• Wireshark: Lets you inspect packet patterns and confirm that your labels make sense.
• pandas: Organizes flow tables, labels, and summary statistics.

Experiment Steps

1. Define the traffic classes you will separate and decide whether you want binary or multiclass detection.
2. Choose flow-level and stream-level features that a router or edge device can gather without deep packet inspection.
3. Build a clean train, validation, and test split so traffic from the same capture session does not leak across sets.
4. Set up a baseline model first, then compare it with a small transformer to see whether sequence modeling adds value.
5. Plan edge deployment tests on the Raspberry Pi, including memory use, latency, and throughput.
6. Design an error analysis pass that checks which kinds of tunneling traffic the model misses and why.

Common Pitfalls

• Mixing packets from the same session across train and test sets, which inflates accuracy.
• Using only accuracy, which hides false positives on rare tunneling traffic.
• Training on one dataset split and assuming it will generalize to all home network traffic.
• Choosing features that depend on full packet payloads, which may not work on a router.
• Skipping deployment tests on the Raspberry Pi, which leaves you with a model that is too slow to be useful.

What Makes This Competitive

A competitive version of this project does more than report high accuracy. It explains which features matter, why the model makes mistakes, and how well the system works on edge hardware. Strong projects compare baselines, test generalization across datasets, and report latency, memory use, and false positive rate. If you can show a design that stays useful on a small device and still catches subtle covert traffic, your work looks much closer to real network security research.

Project Variations

• Test whether the detector still works on encrypted traffic metadata instead of full packet content.
• Compare DNS tunneling detection against ICMP tunneling detection as two separate binary tasks.
• Add a resource-usage study that measures how model size changes Pi-side latency and memory load.

Learn More

• CIC-IDS datasets: Search for the CICIDS2017 and related intrusion-detection datasets from the Canadian Institute for Cybersecurity.
• NIST National Cybersecurity Center of Excellence: Find free guidance on network monitoring and anomaly detection.
• Wireshark User Guide: Learn packet analysis basics from the official documentation.
• MIT OpenCourseWare: Search for network security and machine learning course materials.
• PubMed: Search review articles on network intrusion detection and covert channels for background reading.