Abstract
DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.
Original language | English |
---|---|
Title of host publication | 2022 IEEE Conference on Communications and Network Security (CNS) |
Number of pages | 8 |
Publisher | IEEE |
Publication date | 14 Nov 2022 |
Pages | 273-280 |
ISBN (Print) | 978-1-6654-6256-3 |
ISBN (Electronic) | 978-1-6654-6255-6 |
DOIs | |
Publication status | Published - 14 Nov 2022 |
Event | 2022 IEEE Conference on Communications and Network Security (CNS) - Austin, United States Duration: 3 Oct 2022 → 5 Oct 2022 |
Conference
Conference | 2022 IEEE Conference on Communications and Network Security (CNS) |
---|---|
Country/Territory | United States |
City | Austin |
Period | 03/10/2022 → 05/10/2022 |
Bibliographical note
Funding Agency:Telenor A/S and Innovation Fund Denmark
Keywords
- NetFlow
- IPFix
- DNS
- hijacking
- malware