Proactive threat detection: A DNS based approach

Olivier Isaac van der Toorn

Research output: ThesisPhD Thesis - Research UT, graduation UT

249 Downloads (Pure)


The Internet is the cornerstone of our modern civilisation. In an ever connected world, we work, socialize and play through the Internet. With the Covid-19 pandemic in mind, a life without the Internet is hard to imagine. The benefits of an interconnected society are clear to everybody. However, our most precious resource is under fire. Each day there are cyberthreats attacking information, services and the Internet infrastructure itself.

In an ideal world these attacks would not happen, or we would be able to mitigate them before they cause any damage. In order to mitigate an attack we need to detect it first. What we often observe is that mitigation only starts when the attack is happening, because attacks are detected when they hit, not any time earlier. If we are able to detect imminent attacks before they hit we could minimize the damage they cause. With proactive threat detection, we aim at detecting threats before they result in active attacks. Predictions of upcoming threats are made based on, typically, active measurements. Through these predictions mitigation can start before an attack hits. In an ideal scenario, the window between prediction of the attack and the first hit of the attack is such that the whole attack can be mitigated before it has begun. Proactive threat detection is central to this thesis. We studied the use of active Domain Name System (DNS) measurements for proactive threat detection. Through our use cases we show advantages of a proactive threat detection approach, but also its challenges and limitations.

When we put all traffic of the Internet under scrutiny undoubtedly we will find clues of malicious behavior, which we can use to proactively warn of imminent attacks. However, the task of analyzing all Internet traffic is insurmountable. The DNS plays a central role in activity on the Internet. Connections on the Internet typically start with a DNS query to translate a name into an Internet Protocol (IP) address. Analyzing DNS traffic for malicious behaviour is easier to do than analyzing the full traffic, as DNS traffic is a fraction of the total traffic. This makes actively collected DNS data an excellent basis for proactive threat detection.

Detecting an attack early means more time to prepare mitigations and minimize the damage. Detection of specific targets, such as Snowshoe spam domains, or Unicode phishing domains, shows the biggest advantage of proactive threat detection. A sizable time advantage between the proactive detection of a suspicious domain and the registration of the domain on a blocklist. In practice, operators can use this time window between detection and attack to prepare their networks against the attack.

To summarize, a proactive detection approach has its advantages, with the biggest advantage being the time difference between proactive detection and registration on blocklists of suspicious domains. Proactive threat detection is not risk free. This is the reason we advocate the use of proactive threat detection solutions as complementary rather than as replacement of existing solutions. In the end to prevent is better than to cure.
Original languageEnglish
QualificationDoctor of Philosophy
Awarding Institution
  • University of Twente
  • Sperotto, Anna, Supervisor
  • van Rijswijk - Deij, Roland Martijn, Supervisor
Award date7 Oct 2022
Place of PublicationEnschede
Print ISBNs978-90-365-5442-8
Publication statusPublished - 7 Oct 2022


Dive into the research topics of 'Proactive threat detection: A DNS based approach'. Together they form a unique fingerprint.

Cite this