Detection of malicious and low throughput data exfiltration over the DNS protocol

Nadler, Asaf; Aminov, Avi; Shabtai, Asaf

doi:10.1016/j.cose.2018.09.006

Cited by 92 publications

(57 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are several other limitations that affect some of the most recent solutions discussed so far. In [13] Nadler et al focus solely on the detection of low-throughput attacks by implementing a one-hour monitor window. To avoid this issue, DNSxD implements a much smaller time frame and relies on other Deep Packet Inspection (DPI) identifiers to detect low throughput attacks.…”

Section: A Current Detection Methodsmentioning

confidence: 99%

“…They demonstrate a clear correlation in the distribution of record types between legitimate and malicious DNS traffic, which can be used to profile the attack. Nadler et al [13] split DNS data exfiltration attacks into two categories; highthroughput tunnelling, and low-throughput exfiltration attacks. Their solution logs specific DNS features for correlation on an hourly basis to determine if an attack has/is taking place.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

DNSxD: Detecting Data Exfiltration Over DNS

Steadman¹,

Scott-Hayward²

2018

2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)

View full text Add to dashboard Cite

According to a 2017 SANS report, 1 in 20 organisations fall victim to data exfiltration. Data exfiltration, often the final stage of a cyber attack has damaging consequences for the victim organisation. The use of the Domain Name System (DNS) protocol for data exfiltration was first discussed in 1998. Twenty years on, this covert transmission method has become more sophisticated as malicious actors adapt to evade detection techniques. The popularity of DNS for data exfiltration is due to the essential nature of the protocol for network communication. This paper addresses the issue of DNS-based data exfiltration proposing a detection and mitigation method leveraging the Software-Defined Network (SDN) architecture. Popular DNS data exfiltration attacks and current exfiltration detection mechanisms are analysed to generate a feature-set for DNS data exfiltration detection. The DNSxD application is presented and its performance evaluated in comparison with the current exfiltration detection mechanisms.

show abstract

Section: A Current Detection Methodsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

DNSxD: Detecting Data Exfiltration Over DNS

Steadman¹,

Scott-Hayward²

2018

2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)

View full text Add to dashboard Cite

show abstract

“…For example, DNS can be misused by hackers to facilitate command and control with a compromised host, move malicious code into a network and exfiltrate data. In this approach, hackers send and receive data via DNS by effectively converting it into a covert transport protocol (Nadler et al, 2019). HTTPS can also be used to exfiltrate data to minimize the risk of detection, as its flexible structure provides a lot of benefits to hackers.…”

Section: Introductionmentioning

confidence: 99%

The Challenges of Leveraging Threat Intelligence to Stop Data Breaches

Ibrahim

Thiruvady

Schneider

et al. 2020

Front. Comput. Sci.

View full text Add to dashboard Cite

Despite the significant increase in cybersecurity solutions investment, organizations are still plagued by security breaches, especially data breaches. As more organizations experience crippling security breaches, the wave of compromised data is growing significantly. The financial consequences of a data breach are set on the rise, but the cost goes beyond potential fines. Data breaches could have a catastrophic impact not only in loss of company's reputation and stock price, but also in economic terms. Threat Intelligence has been recently introduced to enable greater visibility of cyber threats, in order to better protect organizations' digital assets and prevent data breaches. Threat intelligence is the practice of integrating and analyzing disjointed cyber data to extract evidence-based insights regarding an organization's unique threat landscape. This helps explain who the adversary is, how and why they are comprising the organization's digital assets, what consequences could happen following the attack, what assets actually could be compromised, and how to detect or respond to the threat. Every organization is different and threat intelligence frameworks are custom-tailored to the business process itself and the organization's risks, as there is no "one-size-fits-all" in cyber. In this paper, we review the problem of data breaches and discuss the challenges of implementing threat intelligence that scales in today's complex threat landscape and digital infrastructure. This is followed by an illustration of how the future of effective threat intelligence is closely linked to efficiently applying Artificial Intelligence and Machine Learning approaches, and we conclude by outlining future research directions in this area.

show abstract

“…Botnets are groups of compromised Internet machines (bots) that are controlled by a single owner to carry attacks such as distributed denial-of-service [9], data exfiltration [17], and cryptocurrency mining [8]. To maintain control over the botnet, the owner configures its bots to connect and receive commands from a command and control server (C&C) in the Internet.…”

Section: Introductionmentioning

confidence: 99%

Helix

Sidi

Mirsky

Nadler

et al. 2020

Proceedings of the 29th ACM International Conference on Information &Amp; Knowledge Management

Self Cite

View full text Add to dashboard Cite

Botnets have been using domain generation algorithms (DGA) for over a decade to covertly and robustly identify the domain name of their command and control servers (C&C). Recent advancements in DGA detection has motivated botnet owners to rapidly alter the C&C domain and use adversarial techniques to evade detection. As a result, it has become increasingly difficult to track botnets in DNS traffic. In this paper, we present Helix, a method for tracking and exploring botnets. Helix uses a spatio-temporal deep neural network autoencoder to convert domains into numerical vectors (embeddings) which capture the DGA and seed used to create the domain. This is made possible by leveraging both convolutional (spatial) and recurrent (temporal) layers, and by using techniques such as attention mechanisms and highways. Furthermore, by using an autoencoder architecture, the network can be trained in an unsupervised manner (no labeling of data) which makes the system practical for real world deployments. In our evaluation, we found that Helix can track botnet campaigns, distinguish between DGA families and seeds, and can identify domains generated using the latest adversarial machine learning techniques. Helix is currently being used to track botnets in one of the world's largest Internet Service Providers (ISP), and we include some of the ISP's analysis work using our method. CCS CONCEPTS • Security and privacy → Intrusion/anomaly detection and malware mitigation.

show abstract

Detection of malicious and low throughput data exfiltration over the DNS protocol

Cited by 92 publications

References 20 publications

DNSxD: Detecting Data Exfiltration Over DNS

DNSxD: Detecting Data Exfiltration Over DNS

The Challenges of Leveraging Threat Intelligence to Stop Data Breaches

Helix

Contact Info

Product

Resources

About