A method for identifying compromised clients based on DNS traffic analysis

Matija Stevanovic, Jens Myrup Pedersen, Alessandro D’Alconzo, Stefan Ruehrup

Research output: Contribution to journalJournal articleResearchpeer-review

10 Citations (Scopus)

Abstract

DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.
Original languageEnglish
JournalInternational Journal of Information Security
Volume16
Issue number2
Pages (from-to)115-132
Number of pages18
ISSN1615-5262
DOIs
Publication statusPublished - 2017

Fingerprint

Fluxes
Internet
Communication

Keywords

  • DNS
  • Traffic analysis
  • Client identification
  • Fast-flux
  • Domain-flux
  • Malware detection

Cite this

@article{4831930bb3e3439f8fba7e4c3a39f78a,
title = "A method for identifying compromised clients based on DNS traffic analysis",
abstract = "DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.",
keywords = "DNS, Traffic analysis, Client identification, Fast-flux, Domain-flux, Malware detection",
author = "Matija Stevanovic and Pedersen, {Jens Myrup} and Alessandro D’Alconzo and Stefan Ruehrup",
year = "2017",
doi = "10.1007/s10207-016-0331-3",
language = "English",
volume = "16",
pages = "115--132",
journal = "International Journal of Information Security",
issn = "1615-5262",
publisher = "Springer Publishing Company",
number = "2",

}

A method for identifying compromised clients based on DNS traffic analysis. / Stevanovic, Matija; Pedersen, Jens Myrup; D’Alconzo, Alessandro; Ruehrup, Stefan.

In: International Journal of Information Security, Vol. 16, No. 2, 2017, p. 115-132.

Research output: Contribution to journalJournal articleResearchpeer-review

TY - JOUR

T1 - A method for identifying compromised clients based on DNS traffic analysis

AU - Stevanovic, Matija

AU - Pedersen, Jens Myrup

AU - D’Alconzo, Alessandro

AU - Ruehrup, Stefan

PY - 2017

Y1 - 2017

N2 - DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.

AB - DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.

KW - DNS

KW - Traffic analysis

KW - Client identification

KW - Fast-flux

KW - Domain-flux

KW - Malware detection

UR - https://link.springer.com/article/10.1007/s10207-016-0331-3

U2 - 10.1007/s10207-016-0331-3

DO - 10.1007/s10207-016-0331-3

M3 - Journal article

VL - 16

SP - 115

EP - 132

JO - International Journal of Information Security

JF - International Journal of Information Security

SN - 1615-5262

IS - 2

ER -