A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

Satoh, Akihiro; Nakamura, Yutaka; Fukuda, Yutaka; Sasai, Kazuto; Kobashi, Gén

doi:10.1109/access.2019.2944203

Cited by 12 publications

(7 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These scenarios have motivated focus on the resolution of domain names for the traditional DNSs, which are not encryption, as an information source for detecting malware. Through previous investigations [28], we have confirmed that the traces of malicious activities appear in queries for the traditional DNSs.…”

Section: Related Worksupporting

confidence: 64%

A Word-Level Analytical Approach for Identifying Malicious Domain Names Caused by Dictionary-Based DGA Malware

et al. 2021

Self Cite

View full text Add to dashboard Cite

Computer networks are facing serious threats from the emergence of malware with sophisticated DGAs (Domain Generation Algorithms). This type of DGA malware dynamically generates domain names by concatenating words from dictionaries for evading detection. In this paper, we propose an approach for identifying the callback communications of such dictionary-based DGA malware by analyzing their domain names at the word level. This approach is based on the following observations: These malware families use their own dictionaries and algorithms to generate domain names, and accordingly, the word usages of malware-generated domains are distinctly different from those of human-generated domains. Our evaluation indicates that the proposed approach is capable of achieving accuracy, recall, and precision as high as 0.9989, 0.9977, and 0.9869, respectively, when used with labeled datasets. We also clarify the functional differences between our approach and other published methods via qualitative comparisons. Taken together, these results suggest that malware-infected machines can be identified and removed from networks using DNS queries for detected malicious domain names as triggers. Our approach contributes to dramatically improving network security by providing a technique to address various types of malware encroachment.

show abstract

Section: Related Worksupporting

confidence: 64%

A Word-Level Analytical Approach for Identifying Malicious Domain Names Caused by Dictionary-Based DGA Malware

et al. 2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…Similarly, papers such as [13,16] focusing on using blacklists for spam filtering in mail servers are also considered complementary. [4] 2012 Zhang et al [23] 2013 Kührer et al [10] 2014 Foremski et al [7] 2014 Satoh et al [14] 2019 Spacek et al [17] 2019 Wilde et al [21] 2019 Li et al [11] 2019 Telenor Norway [19] 2020 Griffioen et al [8] 2020…”

Section: Related Workmentioning

confidence: 99%

Using NetFlow to Measure the Impact of Deploying DNS-based Blacklists

Fejrskov¹,

Pedersen

Vasilomanolakis

2021

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.

show abstract

“…This approach can lead to a high false positive rate for some IoT hosts due to version updates which usually behave similarly to botnet behavior. A more recent work used blacklists to perform cause-based classification of malicious DNS queries [19].…”

Section: ) Knowledge-based and Machine Learning-based Approachesmentioning

confidence: 99%

ARBA: Anomaly and Reputation Based Approach for Detecting Infected IoT Devices

et al. 2020

View full text Add to dashboard Cite

Today, cyber attacks are constantly evolving and changing, which makes them harder to detect. In particular, detecting attacks in large-scale networks is very challenging because they require high detection rates under real-time resource constraints. In this paper, we focus on detecting infected Internet of Things (IoT) hosts from domain name system (DNS) traffic data. IoT hosts, such as streaming cameras, printers, air conditioners, are hard to protect, unlike PCs and servers. Enterprises are often unaware of the devices which are connected to the network, their types, makes, and vulnerabilities. Since IoT hosts make use of the DNS protocol, analyzing DNS data can give a broad view of malicious activities, because they abuse the DNS protocol and leave fingerprints as part of their attack vector. In this collaborative research between Ben-Gurion University, and IBM, we establish a novel algorithm to detect infected IoT hosts in large-scale DNS traffic, named Anomaly and Reputation Based Algorithm (ARBA). Its novelty resides in developing a framework that combines host classification and domain reputation in a real-time production environment. ARBA is highly computational efficient and meets real-time requirements in terms of run time and computational complexity. By contrast to existing algorithms, it does not require a massive traffic volume for training, which is of significant interest in detecting infected hosts in real-time. The research was conducted on real live streaming data from IBM internal network traffic, and confirm the algorithm's strong performance in a real-time production environment. INDEX TERMS Cyber security, anomaly detection, domain name system (DNS), detection algorithms, real-time algorithms.

show abstract

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

Cited by 12 publications

References 33 publications

A Word-Level Analytical Approach for Identifying Malicious Domain Names Caused by Dictionary-Based DGA Malware

A Word-Level Analytical Approach for Identifying Malicious Domain Names Caused by Dictionary-Based DGA Malware

Using NetFlow to Measure the Impact of Deploying DNS-based Blacklists

ARBA: Anomaly and Reputation Based Approach for Detecting Infected IoT Devices

Contact Info

Product

Resources

About