All Your DNS Records Point to Us

Liu, Daiping; Hao, Shuai; Wang, Haining

doi:10.1145/2976749.2978387

Cited by 48 publications

(13 citation statements)

References 21 publications

(26 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Liu et al show that dangling delegation records referring to expired resources (e.g., cloud IP addresses or names) left in the parent or child pose a significant risk [11]. An attacker can obtain control of these records through the same cloud services by randomly registering new services, and in this way take control of the domain.…”

Section: Background and Related Workmentioning

confidence: 99%

“…According to RFC2181 resolvers may prefer this information over the delegation provided by the parent. Indeed, in rounds [1][2][3][4][5][6][7][8][9][10][11] we see traffic also going to the child name servers. However, not all traffic goes to servers in the child NSSet, because not all resolvers trust data from the "authority section" due to mitigations against the so-called Kaminsky attack [8].…”

Section: Implications Of Nsset Differences In the Wildmentioning

confidence: 99%

See 1 more Smart Citation

When Parents and Children Disagree: Diving into DNS Delegation Inconsistency

Sommese

Moura

Jonker

et al. 2020

Passive and Active Measurement

View full text Add to dashboard Cite

The Domain Name System (DNS) is a hierarchical, decentralized, and distributed database. A key mechanism that enables the DNS to be hierarchical and distributed is delegation [7] of responsibility from parent to child zones-typically managed by different entities. RFC1034 [12] states that authoritative nameserver (NS) records at both parent and child should be "consistent and remain so", but we find inconsistencies for over 13M second-level domains. We classify the type of inconsistencies we observe, and the behavior of resolvers in the face of such inconsistencies, using RIPE Atlas to probe our experimental domain configured for different scenarios. Our results underline the risk such inconsistencies pose to the availability of misconfigured domains.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Section: Implications Of Nsset Differences In the Wildmentioning

confidence: 99%

When Parents and Children Disagree: Diving into DNS Delegation Inconsistency

Sommese

Moura

Jonker

et al. 2020

Passive and Active Measurement

View full text Add to dashboard Cite

show abstract

“…Without an explicit comparison between the current webpage and its phishing target, such methods utilize the extracted features to build a binary classifier. The features can be computed from the webpage URL [1]- [6], HTML content [7], queries to remote servers [8], [9], and even publicly-available blacklisting services [10]. However, the attackers have the potential to infer relevant information about the classifier rules.…”

Section: A Background Information and Literature Review For Phishingmentioning

confidence: 99%

“…According to the URL specification [37], 1 we divide a collection of URLs into three collections of URL segments: domain, directory, and file. For example, a given URL ''https://www.airport-information.com/website/ index.php/en/reference-list'' is divided into three segments: domain segment ''www.airport-information.com'', directory segment ''website/index.php/en'', and file segment ''reference-list''.…”

Section: Url Quality Scorementioning

confidence: 99%

“…Similarly, the legitimate probability is w w , with w denoting the number of the legitimate URL patterns covering the URL. We calculate the malicious probability ratio to assign URL quality score φ to each node, i.e., φ = m m w w (1) Notice that higher malicious probability and lower legitimate probability produce a higher value of URL quality score. The higher score indicates that the URL is more likely to be malicious.…”

Section: Url Quality Scorementioning

confidence: 99%

See 1 more Smart Citation

SPWalk: Similar Property Oriented Feature Learning for Phishing Detection

Liu

2020

IEEE Access

View full text Add to dashboard Cite

Detecting phishing webpages is an essential task that protects legitimate websites and their users from various malicious activities. To classify the suspect webpage as phishing or legitimate, robust and effective features used for classification are in demand. However, recent phishing attacks usually make phishing webpages resemble the legitimate webpages in visual and functional aspects. This poses a greater difficulty for feature extraction. We herein propose SPWalk, an unsupervised feature learning algorithm for phishing detection. In SPWalk, similar property nodes refer to a collection of phishing webpages or legitimate webpages. We first construct a weblink network with nodes representing webpages. The edges between nodes represent the reference relationships that connect webpages through hyperlinks or similar textual content. Then, SPWalk applies the network embedding technique to mapping nodes into a low-dimensional vector space. A biased random walk procedure efficiently integrates both structural information between nodes and URL information of each node. The effectiveness and robustness of SPWalk come from three points. (1). Phishing attackers do not have full control over reference relationships. (2). The structural regularities generated by diverse reference relationships can be exploited to discriminate between phishing and legitimate webpages. (3). Node URL information makes the learned node representations more suited for phishing detection. Using node as numeric features, we conduct experiments to classify webpages as legitimate or phishing. We demonstrate the superiority of SPWalk over state-of-the-art techniques on phishing detection, especially in terms of precision (over 95%). Even in the case that phishing webpages are well camouflaged by attackers for evading detection, SPwalk exhibits better classification efficacy consistently. INDEX TERMS Feature learning, network embedding, phishing detection, similar property.

show abstract