Abstract
DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.
| Original language | English |
|---|---|
| Title of host publication | 2022 IEEE Conference on Communications and Network Security (CNS) |
| Number of pages | 8 |
| Publisher | IEEE |
| Publication date | 14 Nov 2022 |
| Pages | 273-280 |
| ISBN (Print) | 978-1-6654-6256-3 |
| ISBN (Electronic) | 978-1-6654-6255-6 |
| DOIs | |
| Publication status | Published - 14 Nov 2022 |
| Event | 2022 IEEE Conference on Communications and Network Security (CNS) - Austin, United States Duration: 3 Oct 2022 → 5 Oct 2022 |
Conference
| Conference | 2022 IEEE Conference on Communications and Network Security (CNS) |
|---|---|
| Country/Territory | United States |
| City | Austin |
| Period | 03/10/2022 → 05/10/2022 |
Bibliographical note
Funding Agency:Telenor A/S and Innovation Fund Denmark
Keywords
- NetFlow
- IPFix
- DNS
- hijacking
- malware