TIDE – Threat Identification using Active DNS Measurements

Anna  Sperotto; Olivier van der Toorn; Roland van Rijswijk

doi:10.1145/3123878.3131988

TIDE – Threat Identification using Active DNS Measurements

Anna Sperotto, Olivier van der Toorn, Roland van Rijswijk

Research output: Contribution to conference › Paper › peer-review

6 Citations (Scopus)

21 Downloads (Pure)

Abstract

The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.

Original language	English
Pages	65-67
Number of pages	3
DOIs	https://doi.org/10.1145/3123878.3131988
Publication status	Published - 22 Aug 2017
Event	Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017 - Los Angeles, United States Duration: 21 Aug 2017 → 25 Aug 2017 https://conferences.sigcomm.org/sigcomm/2017/

Conference

Conference	Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017
Abbreviated title	ACM SIGCOMM
Country/Territory	United States
City	Los Angeles
Period	21/08/17 → 25/08/17
Internet address	https://conferences.sigcomm.org/sigcomm/2017/

Access to Document

10.1145/3123878.3131988

Cite this

@conference{6d54dbdfd49c46fab32d56330a71d330,

title = "TIDE – Threat Identification using Active DNS Measurements",

abstract = "The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.",

author = "Anna Sperotto and {van der Toorn}, Olivier and {van Rijswijk}, Roland",

year = "2017",

month = aug,

day = "22",

doi = "10.1145/3123878.3131988",

language = "English",

pages = "65--67",

note = "Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, ACM SIGCOMM ; Conference date: 21-08-2017 Through 25-08-2017",

url = "https://conferences.sigcomm.org/sigcomm/2017/",

}

TY - CONF

T1 - TIDE – Threat Identification using Active DNS Measurements

AU - Sperotto, Anna

AU - van der Toorn, Olivier

AU - van Rijswijk, Roland

PY - 2017/8/22

Y1 - 2017/8/22

N2 - The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.

AB - The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.

U2 - 10.1145/3123878.3131988

DO - 10.1145/3123878.3131988

M3 - Paper

SP - 65

EP - 67

T2 - Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017

Y2 - 21 August 2017 through 25 August 2017

ER -

TIDE – Threat Identification using Active DNS Measurements

Abstract

Conference

Access to Document

Fingerprint

Cite this