TIDE – Threat Identification using Active DNS Measurements

Anna Sperotto, Olivier van der Toorn, Roland van Rijswijk

Research output: Contribution to conferencePaperAcademicpeer-review

1 Citation (Scopus)

Abstract

The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.
Original languageEnglish
Pages65-67
Number of pages3
DOIs
Publication statusPublished - 22 Aug 2017
EventAnnual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017 - Los Angeles, United States
Duration: 21 Aug 201725 Aug 2017
https://conferences.sigcomm.org/sigcomm/2017/

Conference

ConferenceAnnual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017
Abbreviated titleACM SIGCOMM
CountryUnited States
CityLos Angeles
Period21/08/1725/08/17
Internet address

Fingerprint

Health
Internet
Denial-of-service attack

Cite this

Sperotto, A., van der Toorn, O., & van Rijswijk, R. (2017). TIDE – Threat Identification using Active DNS Measurements. 65-67. Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States. https://doi.org/10.1145/3123878.3131988
Sperotto, Anna ; van der Toorn, Olivier ; van Rijswijk, Roland. / TIDE – Threat Identification using Active DNS Measurements. Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States.3 p.
@conference{6d54dbdfd49c46fab32d56330a71d330,
title = "TIDE – Threat Identification using Active DNS Measurements",
abstract = "The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60{\%} of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.",
author = "Anna Sperotto and {van der Toorn}, Olivier and {van Rijswijk}, Roland",
year = "2017",
month = "8",
day = "22",
doi = "10.1145/3123878.3131988",
language = "English",
pages = "65--67",
note = "Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, ACM SIGCOMM ; Conference date: 21-08-2017 Through 25-08-2017",
url = "https://conferences.sigcomm.org/sigcomm/2017/",

}

Sperotto, A, van der Toorn, O & van Rijswijk, R 2017, 'TIDE – Threat Identification using Active DNS Measurements' Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States, 21/08/17 - 25/08/17, pp. 65-67. https://doi.org/10.1145/3123878.3131988

TIDE – Threat Identification using Active DNS Measurements. / Sperotto, Anna ; van der Toorn, Olivier; van Rijswijk, Roland.

2017. 65-67 Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States.

Research output: Contribution to conferencePaperAcademicpeer-review

TY - CONF

T1 - TIDE – Threat Identification using Active DNS Measurements

AU - Sperotto, Anna

AU - van der Toorn, Olivier

AU - van Rijswijk, Roland

PY - 2017/8/22

Y1 - 2017/8/22

N2 - The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.

AB - The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.

U2 - 10.1145/3123878.3131988

DO - 10.1145/3123878.3131988

M3 - Paper

SP - 65

EP - 67

ER -

Sperotto A, van der Toorn O, van Rijswijk R. TIDE – Threat Identification using Active DNS Measurements. 2017. Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States. https://doi.org/10.1145/3123878.3131988