AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
Our evaluation using real-world data, which includes traffic from large ISP networks, demonstrates that Notos is highly accurate in identifying new malicious domains in the monitored Domain Name System query traffic, with a true positive rate of 96.8% and false positive rate of 0...

Building a dynamic reputation system for DNS

USENIX Security Symposium, pp.18-18, (2010)

Cited by: 551|Views214
EI
Full Text
Bibtex
Weibo

Abstract

The Domain Name System (DNS) is an essential protocol used by both legitimate Internet applications and cyber attacks. For example, botnets rely on DNS to support agile command and control infrastructures. An effective way to disrupt these attacks is to place malicious domains on a "blocklist" (or "blacklist") or to add a filtering rule i...More

Code:

Data:

0
Introduction
  • The Domain Name System (DNS) [12, 13] maps domain names to IP addresses, and provides a core service to applications on the Internet.
  • The aggressive use of newly registered domain names is seen in other contexts, such as spam campaigns and malicious flux networks [25, 19].
  • This strategy delays takedowns, degrades the effectiveness of blacklists, and pollutes the Internet’s name space with unwanted, discarded domains.
Highlights
  • The Domain Name System (DNS) [12, 13] maps domain names to IP addresses, and provides a core service to applications on the Internet
  • We show that Notos can identify malicious domain names sooner than public blacklists, with a low false positive rate (FP%) of 0.38% and high true positive rate (TP%) of 96.8%
  • We computed vectors based on the statistical features from 250,000 unique RRs. This volume corresponds to the average volume of new – previously unseen – RRs observed at two recursive Domain Name System servers in a major ISP in one day, as noted in Section 4, Figure 7(b)
  • We presented Notos, a dynamic reputation system for Domain Name System
  • To the best of our knowledge, Notos is the first system that can assign a dynamic reputation score to any domain name in a Domain Name System query that traverses the edge of a monitored network
  • Our evaluation using real-world data, which includes traffic from large ISP networks, demonstrates that Notos is highly accurate in identifying new malicious domains in the monitored Domain Name System query traffic, with a true positive rate of 96.8% and false positive rate of 0.38%
Results
  • The authors present the experimental results of the evaluation. The authors show that Notos can identify malicious domain names sooner than public blacklists, with a low false positive rate (FP%) of 0.38% and high true positive rate (TP%) of 96.8%.
  • The accuracy of the Meta-Classification system (Figure 4(a)) in the network profile module is critical for the overall performance of Notos
  • This is because, in the on-line mode, Notos will receive unlabeled vectors which must be classified and correlated with what is already present in the knowledge base.
  • If the classifier receives a new RR and assigns to it the label Akamai with very high confidence, that implies the RR which produced this vector will be part of a network similar to Akamai.
  • The authors discuss the accuracy of the Meta-Classifier when modeling each different network profile class
Conclusion
  • This section discusses the limits of Notos, and the potential for evasion in real networks.
  • Notos harvests information from multiple sources such as the DNS zone domain names belongs to, the related IP addresses, BGP prefixes, AS information and honeypot analysis to maintain up-to-date DNS information about legitimate and malicious domain names
  • Based on this information, Notos uses automated classification and clustering algorithms to model network and zone behaviors of legitimate and malicious domains, and applies these models to compute a reputation score for a domain name.
  • Notos is capable of identifying these malicious domain weeks or even months before they appear in public blacklists, enabling proactive security countermeasures against cyber attacks
Tables
  • Table1: Sample cases form Zeus domains detected by Notos and the corresponding days that appeared in the public BLs. All evidence information in this table were harvested from zeustracker.abuse.ch
  • Table2: Anecdotal cases of malicious domain names detected by Notos and the corresponding days that appeared in the public BLs .[<a class="ref-link" id="c1" href="#r1">1</a>]
Download tables as Excel
Funding
  • Additionally, we thank the Internet Security Consortium Security Information Exchange project (ISC@SIE) for providing portion of the DNS data used in our experiments. This material is based upon work supported in part by the National Science Foundation under grant no. 0831300, the Department of Homeland Security under contract no
  • FA8750-08-2-0141, the Office of Naval Research under grants no
Reference
  • D. Anderson, C. Fleizach, S. Savage, and G. Voelker. Spamscatter: Characterizing internet scam hosting infrastructure. In Proceedings of the USENIX Security Symposium, 2007.
    Google ScholarLocate open access versionFindings
  • L. Breiman. Bagging predictors. Machine learning, 24(2):123–140, 1996.
    Google ScholarLocate open access versionFindings
  • Internet Systems Consortium. SIE@ISC: Security Information Exchange. https://sie.isc.org/, 2004.
    Findings
  • A. Dinaburg, R. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In ACM CCS, 2008.
    Google ScholarLocate open access versionFindings
  • SORBS DNSBL. Fighting spam by finding and listing Exploitable Servers. http://www.us.sorbs.net/, 2007.
    Findings
  • R. Duda, P. Hart, and D. Stork. Pattern Classification. Wiley-Interscience, 2nd edition, 2000.
    Google ScholarFindings
  • M. Felegyhazi, C. Keibich, and V. Paxson. On the potential of proactive domain blacklisting. In Third USENIX LEET Workshop, 2010.
    Google ScholarLocate open access versionFindings
  • S. Garera, N. Provos, M. Chew, and A. Rubin. A framework for detection and measurement of phishing attacks. In Proceedings of the ACM WORM. ACM, 2007.
    Google ScholarLocate open access versionFindings
  • B. Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In ACM CCS 09, New York, NY, USA, 200ACM.
    Google ScholarFindings
  • T. Holz, C. Gorecki, K. Rieck, and F. Freiling. Measuring and detecting fast-flux service networks. In Proceedings of NDSS, 2008.
    Google ScholarLocate open access versionFindings
  • T. Hothorn and B. Lausen. Double-bagging: Combining classifiers by bootstrap aggregation. Pattern Recognition, 36(6):1303–1309, 2003.
    Google ScholarLocate open access versionFindings
  • P. Mockapetris. Domain names - concepts and facilities. http://www.ietf.org/rfc/rfc1034.txt, 1987.
    Findings
  • P. Mockapetris. Domain names - implementation and specification. http://www.ietf.org/rfc/rfc1035.txt, 1987.
    Findings
  • OPENDNS. OpenDNS — Internet Navigation And Security. http://www.opendns.com/, 2010.
    Findings
  • P. Porras, H. Saidi, and V. Yegneswaran. An Analysis of Conficker’s Logic and Rendezvous Points. http://mtc.sri.com/Conficker/, 2009.
    Findings
  • R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In USENIX NSDI, 2010.
    Google ScholarLocate open access versionFindings
  • D. Plonka and P. Barford. Context-aware clustering of DNS query traffic. In Proceedings of the 8th IMC, Vouliagmeni, Greece, 2008. ACM.
    Google ScholarLocate open access versionFindings
  • The Spamhaus Project. ZEN - Spamhaus DNSBLs. http://www.spamhaus.org/zen/, 2004.
    Findings
  • R. Perdisci, I. Corona, D. Dagon, and W. Lee. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of ACSAC, Honolulu, Hawaii, USA, 2009. http://www.damballa.com/downloads/
    Locate open access versionFindings
  • r_pubs/KrakenWhitepaper.pdf, 2008.
    Google ScholarFindings
  • S. Hao, N. Syed, N. Feamster, A. Gray and S. Krasser. Detecting spammers with SNARE: Spatiotemporal network-level automatic reputation engine. In Proceedings of the USENIX Security Symposium, 2009.
    Google ScholarLocate open access versionFindings
  • S. Shevchenko. Srizbi Domain Generator Calculator. http://blog.threatexpert.com/2008/11/srizbis-domain-calculator.html, 2008.
    Findings
  • K. Sato, K. Ishibashi, T. Toyono, and N. Miyake. Extending black domain name list by using co-occurrence relation between dns queries. In Third USENIX LEET Workshop, 2010.
    Google ScholarLocate open access versionFindings
  • S. Sinha, M. Bailey, and F. Jahanian. Shades of grey: On the effectiveness of reputation-based blacklists. In 3rd International Conference on MALWARE, 2008.
    Google ScholarLocate open access versionFindings
  • The Honeynet Project & Research Alliance. Know Your Enemy: Fast-Flux Service Networks. http://old.honeynet.org/papers/ff/fast-flux.html, 2007.
    Findings
  • URIBL. Real time URI blacklist. http://uribl.com.
    Findings
  • F. Weimer. Passive DNS replication. In Proceedings of FIRST Conference on Computer Security Incident, Hand ling, Singapore, 2005.
    Google ScholarLocate open access versionFindings
  • Z. Qian, Z. Mao, Y. Xie and F. Yu. On networklevel clusters for spam detection. In Proceedings of the USENIX NDSS Symposium, 2010.
    Google ScholarLocate open access versionFindings
  • B. Zdrnja, N. Brownlee, and D. Wessels. Passive monitoring of DNS anomalies. In Proceedings of DIMVA Conference, 2007.
    Google ScholarLocate open access versionFindings
  • Zeus Tracker. Zeus IP & domain name block list. https://zeustracker.abuse.ch, 2009.
    Findings
  • J. Zhang, P. Porra, and J. Ullrich. Highly predictive blacklisting. In Proceedings of the USENIX Security Symposium, 2008.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科