Threat Identification Using Active DNS Measurements

Olivier van der Toorn; Anna Sperotto

Threat Identification Using Active DNS Measurements

Olivier van der Toorn^*, Anna Sperotto

^*Corresponding author for this work

Design and Analysis of Communication Systems

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

62 Downloads (Pure)

Abstract

The DNS is a core service for the Internet. Most uses of the DNS are benign, but some are malicious. Attackers often use a DNS domain to enable an attack (e.g. DDoS attacks). Detection of these attacks often happens passively, which leads to a reactive detection of attacks. However, registering and configuring a domain takes time. We want to pro-actively identify malicious domains during this time. Identifying malicious domains before they are used allows to pre-emptively stop an attack. We aim to accomplish this goal by analysing active DNS measurements. Through the analysis of active DNS measurements there is a window of opportunity between the time of registration and the time of an attack to identify a threat before it becomes an attack. Active DNS measurements allows us to analyse the configuration of a domain. Using the configuration of a domain we can predict if it will be used for malicious intent. Machine Learning (ML) is often used to process large datasets, because it is efficient and dynamic. This is the reason we want to use ML for the detection of malicious domains. Because our results are predictive in nature, methodology for validation of our results need to be developed. At the time of the detection ground truth is not (yet) available.

Original language	English
Title of host publication	12th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2018 - Proceedings
Publisher	IFIP
Pages	1-5
Number of pages	5
ISBN (Electronic)	978-3-903176-12-6
Publication status	Published - 2018
Event	12th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2018 - Munich, Germany Duration: 4 Jun 2018 → 7 Jun 2018 Conference number: 12 http://www.aims-conference.org/2018/

Conference

Conference	12th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2018
Abbreviated title	AIMS 2018
Country/Territory	Germany
City	Munich
Period	4/06/18 → 7/06/18
Internet address	http://www.aims-conference.org/2018/

Access to Document

ArticleFinal published version, 3.81 MB

https://www.tide-project.nl/publications/aims2018/

Cite this

@inproceedings{2da2fa01c35e4c7099d65a28d369307e,

title = "Threat Identification Using Active DNS Measurements",

abstract = "The DNS is a core service for the Internet. Most uses of the DNS are benign, but some are malicious. Attackers often use a DNS domain to enable an attack (e.g. DDoS attacks). Detection of these attacks often happens passively, which leads to a reactive detection of attacks. However, registering and configuring a domain takes time. We want to pro-actively identify malicious domains during this time. Identifying malicious domains before they are used allows to pre-emptively stop an attack. We aim to accomplish this goal by analysing active DNS measurements. Through the analysis of active DNS measurements there is a window of opportunity between the time of registration and the time of an attack to identify a threat before it becomes an attack. Active DNS measurements allows us to analyse the configuration of a domain. Using the configuration of a domain we can predict if it will be used for malicious intent. Machine Learning (ML) is often used to process large datasets, because it is efficient and dynamic. This is the reason we want to use ML for the detection of malicious domains. Because our results are predictive in nature, methodology for validation of our results need to be developed. At the time of the detection ground truth is not (yet) available.",

author = "{van der Toorn}, Olivier and Anna Sperotto",

note = "Publisher Copyright: {\textcopyright} IFIP.; 12th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2018, AIMS 2018 ; Conference date: 04-06-2018 Through 07-06-2018",

year = "2018",

language = "English",

pages = "1--5",

booktitle = "12th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2018 - Proceedings",

publisher = "IFIP",

url = "http://www.aims-conference.org/2018/",

}

van der Toorn, O & Sperotto, A 2018, Threat Identification Using Active DNS Measurements. in 12th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2018 - Proceedings. IFIP, pp. 1-5, 12th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2018, Munich, Germany, 4/06/18. <https://www.tide-project.nl/publications/aims2018/>

TY - GEN

T1 - Threat Identification Using Active DNS Measurements

AU - van der Toorn, Olivier

AU - Sperotto, Anna

N1 - Conference code: 12

PY - 2018

Y1 - 2018

N2 - The DNS is a core service for the Internet. Most uses of the DNS are benign, but some are malicious. Attackers often use a DNS domain to enable an attack (e.g. DDoS attacks). Detection of these attacks often happens passively, which leads to a reactive detection of attacks. However, registering and configuring a domain takes time. We want to pro-actively identify malicious domains during this time. Identifying malicious domains before they are used allows to pre-emptively stop an attack. We aim to accomplish this goal by analysing active DNS measurements. Through the analysis of active DNS measurements there is a window of opportunity between the time of registration and the time of an attack to identify a threat before it becomes an attack. Active DNS measurements allows us to analyse the configuration of a domain. Using the configuration of a domain we can predict if it will be used for malicious intent. Machine Learning (ML) is often used to process large datasets, because it is efficient and dynamic. This is the reason we want to use ML for the detection of malicious domains. Because our results are predictive in nature, methodology for validation of our results need to be developed. At the time of the detection ground truth is not (yet) available.

AB - The DNS is a core service for the Internet. Most uses of the DNS are benign, but some are malicious. Attackers often use a DNS domain to enable an attack (e.g. DDoS attacks). Detection of these attacks often happens passively, which leads to a reactive detection of attacks. However, registering and configuring a domain takes time. We want to pro-actively identify malicious domains during this time. Identifying malicious domains before they are used allows to pre-emptively stop an attack. We aim to accomplish this goal by analysing active DNS measurements. Through the analysis of active DNS measurements there is a window of opportunity between the time of registration and the time of an attack to identify a threat before it becomes an attack. Active DNS measurements allows us to analyse the configuration of a domain. Using the configuration of a domain we can predict if it will be used for malicious intent. Machine Learning (ML) is often used to process large datasets, because it is efficient and dynamic. This is the reason we want to use ML for the detection of malicious domains. Because our results are predictive in nature, methodology for validation of our results need to be developed. At the time of the detection ground truth is not (yet) available.

UR - http://www.scopus.com/inward/record.url?scp=85128081743&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85128081743

SP - 1

EP - 5

BT - 12th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2018 - Proceedings

PB - IFIP

T2 - 12th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2018

Y2 - 4 June 2018 through 7 June 2018

ER -

Threat Identification Using Active DNS Measurements

Abstract

Conference

Access to Document

Other files and links

Fingerprint

Cite this