Privacy-Conscious Threat Intelligence Using DNSBloom

Roland van Rijswijk - Deij, Gijs Rijnders, Matthijs Bomhoff, Luca Allodi

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

Abstract

The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a wealth of information about what goes on in the network. Malicious activity – such as phishing, malware and botnets – also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team’s toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe’s GDPR, simply logging every DNS request is not acceptable.
In this paper we present DNSBLOOM, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBLOOM aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBLOOM through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.
Original languageEnglish
Title of host publicationIFIP/IEEE International Symposium on Integrated Network Management (IM2019)
PublisherIFIP
ISBN (Print)978-3-903176-15-7
Publication statusPublished - 8 Apr 2019
Event16th IFIP/IEEE International Symposium on Integrated Network Management - DoubleTree by Hilton Hotel Washington DC - Crystal City, Washington DC, United States
Duration: 8 Apr 201912 Apr 2019
Conference number: 16
https://im2019.ieee-im.org

Conference

Conference16th IFIP/IEEE International Symposium on Integrated Network Management
Abbreviated titleIM 2019
CountryUnited States
CityWashington DC
Period8/04/1912/04/19
Internet address

Fingerprint

Internet
Monitoring
Malware
Botnet

Keywords

  • DNS
  • privacy
  • measurement
  • GDPR
  • threat detection
  • indicator-of-compromise

Cite this

van Rijswijk - Deij, R., Rijnders, G., Bomhoff, M., & Allodi, L. (2019). Privacy-Conscious Threat Intelligence Using DNSBloom. In IFIP/IEEE International Symposium on Integrated Network Management (IM2019) IFIP.
van Rijswijk - Deij, Roland ; Rijnders, Gijs ; Bomhoff, Matthijs ; Allodi, Luca. / Privacy-Conscious Threat Intelligence Using DNSBloom. IFIP/IEEE International Symposium on Integrated Network Management (IM2019). IFIP, 2019.
@inproceedings{16647464070f48ceba177d3181b016dc,
title = "Privacy-Conscious Threat Intelligence Using DNSBloom",
abstract = "The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a wealth of information about what goes on in the network. Malicious activity – such as phishing, malware and botnets – also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team’s toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe’s GDPR, simply logging every DNS request is not acceptable.In this paper we present DNSBLOOM, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBLOOM aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBLOOM through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.",
keywords = "DNS, privacy, measurement, GDPR, threat detection, indicator-of-compromise",
author = "{van Rijswijk - Deij}, Roland and Gijs Rijnders and Matthijs Bomhoff and Luca Allodi",
year = "2019",
month = "4",
day = "8",
language = "English",
isbn = "978-3-903176-15-7",
booktitle = "IFIP/IEEE International Symposium on Integrated Network Management (IM2019)",
publisher = "IFIP",

}

van Rijswijk - Deij, R, Rijnders, G, Bomhoff, M & Allodi, L 2019, Privacy-Conscious Threat Intelligence Using DNSBloom. in IFIP/IEEE International Symposium on Integrated Network Management (IM2019). IFIP, 16th IFIP/IEEE International Symposium on Integrated Network Management, Washington DC, United States, 8/04/19.

Privacy-Conscious Threat Intelligence Using DNSBloom. / van Rijswijk - Deij, Roland; Rijnders, Gijs; Bomhoff, Matthijs; Allodi, Luca.

IFIP/IEEE International Symposium on Integrated Network Management (IM2019). IFIP, 2019.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Privacy-Conscious Threat Intelligence Using DNSBloom

AU - van Rijswijk - Deij, Roland

AU - Rijnders, Gijs

AU - Bomhoff, Matthijs

AU - Allodi, Luca

PY - 2019/4/8

Y1 - 2019/4/8

N2 - The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a wealth of information about what goes on in the network. Malicious activity – such as phishing, malware and botnets – also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team’s toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe’s GDPR, simply logging every DNS request is not acceptable.In this paper we present DNSBLOOM, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBLOOM aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBLOOM through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.

AB - The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a wealth of information about what goes on in the network. Malicious activity – such as phishing, malware and botnets – also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team’s toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe’s GDPR, simply logging every DNS request is not acceptable.In this paper we present DNSBLOOM, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBLOOM aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBLOOM through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.

KW - DNS

KW - privacy

KW - measurement

KW - GDPR

KW - threat detection

KW - indicator-of-compromise

M3 - Conference contribution

SN - 978-3-903176-15-7

BT - IFIP/IEEE International Symposium on Integrated Network Management (IM2019)

PB - IFIP

ER -

van Rijswijk - Deij R, Rijnders G, Bomhoff M, Allodi L. Privacy-Conscious Threat Intelligence Using DNSBloom. In IFIP/IEEE International Symposium on Integrated Network Management (IM2019). IFIP. 2019