AI helps you reading Science
AI generates interpretation videos
AI extracts and analyses the key points of the paper to generate videos automatically
AI parses the academic lineage of this thesis
AI extracts a summary of this paper
Our evaluation using real-world data, which includes traffic from large ISP networks, demonstrates that Notos is highly accurate in identifying new malicious domains in the monitored Domain Name System query traffic, with a true positive rate of 96.8% and false positive rate of 0...
Building a dynamic reputation system for DNS
USENIX Security Symposium, pp.18-18, (2010)
The Domain Name System (DNS) is an essential protocol used by both legitimate Internet applications and cyber attacks. For example, botnets rely on DNS to support agile command and control infrastructures. An effective way to disrupt these attacks is to place malicious domains on a "blocklist" (or "blacklist") or to add a filtering rule i...More
PPT (Upload PPT)
- The Domain Name System (DNS) [12, 13] maps domain names to IP addresses, and provides a core service to applications on the Internet.
- The aggressive use of newly registered domain names is seen in other contexts, such as spam campaigns and malicious flux networks [25, 19].
- This strategy delays takedowns, degrades the effectiveness of blacklists, and pollutes the Internet’s name space with unwanted, discarded domains.
- The Domain Name System (DNS) [12, 13] maps domain names to IP addresses, and provides a core service to applications on the Internet
- We show that Notos can identify malicious domain names sooner than public blacklists, with a low false positive rate (FP%) of 0.38% and high true positive rate (TP%) of 96.8%
- We computed vectors based on the statistical features from 250,000 unique RRs. This volume corresponds to the average volume of new – previously unseen – RRs observed at two recursive Domain Name System servers in a major ISP in one day, as noted in Section 4, Figure 7(b)
- We presented Notos, a dynamic reputation system for Domain Name System
- To the best of our knowledge, Notos is the first system that can assign a dynamic reputation score to any domain name in a Domain Name System query that traverses the edge of a monitored network
- Our evaluation using real-world data, which includes traffic from large ISP networks, demonstrates that Notos is highly accurate in identifying new malicious domains in the monitored Domain Name System query traffic, with a true positive rate of 96.8% and false positive rate of 0.38%
- The authors present the experimental results of the evaluation. The authors show that Notos can identify malicious domain names sooner than public blacklists, with a low false positive rate (FP%) of 0.38% and high true positive rate (TP%) of 96.8%.
- The accuracy of the Meta-Classification system (Figure 4(a)) in the network profile module is critical for the overall performance of Notos
- This is because, in the on-line mode, Notos will receive unlabeled vectors which must be classified and correlated with what is already present in the knowledge base.
- If the classifier receives a new RR and assigns to it the label Akamai with very high confidence, that implies the RR which produced this vector will be part of a network similar to Akamai.
- The authors discuss the accuracy of the Meta-Classifier when modeling each different network profile class
- This section discusses the limits of Notos, and the potential for evasion in real networks.
- Notos harvests information from multiple sources such as the DNS zone domain names belongs to, the related IP addresses, BGP prefixes, AS information and honeypot analysis to maintain up-to-date DNS information about legitimate and malicious domain names
- Based on this information, Notos uses automated classification and clustering algorithms to model network and zone behaviors of legitimate and malicious domains, and applies these models to compute a reputation score for a domain name.
- Notos is capable of identifying these malicious domain weeks or even months before they appear in public blacklists, enabling proactive security countermeasures against cyber attacks
- Table1: Sample cases form Zeus domains detected by Notos and the corresponding days that appeared in the public BLs. All evidence information in this table were harvested from zeustracker.abuse.ch
- Table2: Anecdotal cases of malicious domain names detected by Notos and the corresponding days that appeared in the public BLs .[<a class="ref-link" id="c1" href="#r1">1</a>]
- Additionally, we thank the Internet Security Consortium Security Information Exchange project (ISC@SIE) for providing portion of the DNS data used in our experiments. This material is based upon work supported in part by the National Science Foundation under grant no. 0831300, the Department of Homeland Security under contract no
- FA8750-08-2-0141, the Office of Naval Research under grants no
- D. Anderson, C. Fleizach, S. Savage, and G. Voelker. Spamscatter: Characterizing internet scam hosting infrastructure. In Proceedings of the USENIX Security Symposium, 2007.
- L. Breiman. Bagging predictors. Machine learning, 24(2):123–140, 1996.
- Internet Systems Consortium. SIE@ISC: Security Information Exchange. https://sie.isc.org/, 2004.
- A. Dinaburg, R. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In ACM CCS, 2008.
- SORBS DNSBL. Fighting spam by finding and listing Exploitable Servers. http://www.us.sorbs.net/, 2007.
- R. Duda, P. Hart, and D. Stork. Pattern Classification. Wiley-Interscience, 2nd edition, 2000.
- M. Felegyhazi, C. Keibich, and V. Paxson. On the potential of proactive domain blacklisting. In Third USENIX LEET Workshop, 2010.
- S. Garera, N. Provos, M. Chew, and A. Rubin. A framework for detection and measurement of phishing attacks. In Proceedings of the ACM WORM. ACM, 2007.
- B. Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In ACM CCS 09, New York, NY, USA, 200ACM.
- T. Holz, C. Gorecki, K. Rieck, and F. Freiling. Measuring and detecting fast-flux service networks. In Proceedings of NDSS, 2008.
- T. Hothorn and B. Lausen. Double-bagging: Combining classifiers by bootstrap aggregation. Pattern Recognition, 36(6):1303–1309, 2003.
- P. Mockapetris. Domain names - concepts and facilities. http://www.ietf.org/rfc/rfc1034.txt, 1987.
- P. Mockapetris. Domain names - implementation and specification. http://www.ietf.org/rfc/rfc1035.txt, 1987.
- OPENDNS. OpenDNS — Internet Navigation And Security. http://www.opendns.com/, 2010.
- P. Porras, H. Saidi, and V. Yegneswaran. An Analysis of Conficker’s Logic and Rendezvous Points. http://mtc.sri.com/Conficker/, 2009.
- R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In USENIX NSDI, 2010.
- D. Plonka and P. Barford. Context-aware clustering of DNS query traffic. In Proceedings of the 8th IMC, Vouliagmeni, Greece, 2008. ACM.
- The Spamhaus Project. ZEN - Spamhaus DNSBLs. http://www.spamhaus.org/zen/, 2004.
- R. Perdisci, I. Corona, D. Dagon, and W. Lee. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of ACSAC, Honolulu, Hawaii, USA, 2009. http://www.damballa.com/downloads/
- r_pubs/KrakenWhitepaper.pdf, 2008.
- S. Hao, N. Syed, N. Feamster, A. Gray and S. Krasser. Detecting spammers with SNARE: Spatiotemporal network-level automatic reputation engine. In Proceedings of the USENIX Security Symposium, 2009.
- S. Shevchenko. Srizbi Domain Generator Calculator. http://blog.threatexpert.com/2008/11/srizbis-domain-calculator.html, 2008.
- K. Sato, K. Ishibashi, T. Toyono, and N. Miyake. Extending black domain name list by using co-occurrence relation between dns queries. In Third USENIX LEET Workshop, 2010.
- S. Sinha, M. Bailey, and F. Jahanian. Shades of grey: On the effectiveness of reputation-based blacklists. In 3rd International Conference on MALWARE, 2008.
- The Honeynet Project & Research Alliance. Know Your Enemy: Fast-Flux Service Networks. http://old.honeynet.org/papers/ff/fast-flux.html, 2007.
- URIBL. Real time URI blacklist. http://uribl.com.
- F. Weimer. Passive DNS replication. In Proceedings of FIRST Conference on Computer Security Incident, Hand ling, Singapore, 2005.
- Z. Qian, Z. Mao, Y. Xie and F. Yu. On networklevel clusters for spam detection. In Proceedings of the USENIX NDSS Symposium, 2010.
- B. Zdrnja, N. Brownlee, and D. Wessels. Passive monitoring of DNS anomalies. In Proceedings of DIMVA Conference, 2007.
- Zeus Tracker. Zeus IP & domain name block list. https://zeustracker.abuse.ch, 2009.
- J. Zhang, P. Porra, and J. Ullrich. Highly predictive blacklisting. In Proceedings of the USENIX Security Symposium, 2008.