A method for identifying compromised clients based on DNS traffic analysis

Matija Stevanovic, Jens Myrup Pedersen, Alessandro D’Alconzo, Stefan Ruehrup

Publikation: Bidrag til tidsskriftTidsskriftartikelForskningpeer review

10 Citationer (Scopus)

Resumé

DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.
OriginalsprogEngelsk
TidsskriftInternational Journal of Information Security
Vol/bind16
Udgave nummer2
Sider (fra-til)115-132
Antal sider18
ISSN1615-5262
DOI
StatusUdgivet - 2017

Fingerprint

Fluxes
Internet
Communication

Citer dette

Stevanovic, Matija ; Pedersen, Jens Myrup ; D’Alconzo, Alessandro ; Ruehrup, Stefan. / A method for identifying compromised clients based on DNS traffic analysis. I: International Journal of Information Security. 2017 ; Bind 16, Nr. 2. s. 115-132.
@article{4831930bb3e3439f8fba7e4c3a39f78a,
title = "A method for identifying compromised clients based on DNS traffic analysis",
abstract = "DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.",
keywords = "DNS, Traffic analysis, Client identification, Fast-flux, Domain-flux, Malware detection",
author = "Matija Stevanovic and Pedersen, {Jens Myrup} and Alessandro D’Alconzo and Stefan Ruehrup",
year = "2017",
doi = "10.1007/s10207-016-0331-3",
language = "English",
volume = "16",
pages = "115--132",
journal = "International Journal of Information Security",
issn = "1615-5262",
publisher = "Physica-Verlag",
number = "2",

}

A method for identifying compromised clients based on DNS traffic analysis. / Stevanovic, Matija; Pedersen, Jens Myrup; D’Alconzo, Alessandro; Ruehrup, Stefan.

I: International Journal of Information Security, Bind 16, Nr. 2, 2017, s. 115-132.

Publikation: Bidrag til tidsskriftTidsskriftartikelForskningpeer review

TY - JOUR

T1 - A method for identifying compromised clients based on DNS traffic analysis

AU - Stevanovic, Matija

AU - Pedersen, Jens Myrup

AU - D’Alconzo, Alessandro

AU - Ruehrup, Stefan

PY - 2017

Y1 - 2017

N2 - DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.

AB - DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.

KW - DNS

KW - Traffic analysis

KW - Client identification

KW - Fast-flux

KW - Domain-flux

KW - Malware detection

UR - https://link.springer.com/article/10.1007/s10207-016-0331-3

U2 - 10.1007/s10207-016-0331-3

DO - 10.1007/s10207-016-0331-3

M3 - Journal article

VL - 16

SP - 115

EP - 132

JO - International Journal of Information Security

JF - International Journal of Information Security

SN - 1615-5262

IS - 2

ER -