Detection of malicious payload distribution channels in DNS

Kara, A. Mert; Binsalleeh, Hamad; Mannan, Mohammad; Youssef, Amr M.; Debbabi, Mourad

doi:10.1109/icc.2014.6883426

Cited by 40 publications

(24 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This type of abuse of the DNS protocol for the sake of data exchange has been thoroughly studied in previous research along with its unique attributes [16], [18], [36]. The most commonly investigated unique attributes are: long queries and responses [36], different resource record distribution [18], and a high volume of requests and encoded data rather than plain text [16]. While these abnormalities may capture the entire landscape of data exchange over the DNS, they are insufficient for accurate data leakage detection, since not all data exchange is malicious.…”

Section: B Data Exchange Over the Dns Protocolmentioning

confidence: 99%

See 1 more Smart Citation

Detection of malicious and low throughput data exfiltration over the DNS protocol

Nadler

Aminov

Shabtai

2019

Computers & Security

View full text Add to dashboard Cite

In the presence of security countermeasures, a malware designed for data exfiltration must use a covert channel to achieve its goal. The Domain Name System (DNS) protocol is a covert channel commonly used by malware developers today for this purpose. Although the detection of covert channels using the DNS has been studied for the past decade, prior research has largely dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection should not be minimized, an entire class of low throughput DNS exfiltration malware has been overlooked.In this study we propose a method for detecting both tunneling and low throughput data exfiltration over the DNS. After determining that previously detected malware used Internet domains that were registered towards a cyber-campaign rather than compromising existing legitimate ones, we focus on detecting and denying requests to these domains as an effective data leakage shutdown. Therefore, our proposed solution handles streaming DNS traffic in order to detect and automatically deny requests to domains that are used for data exchange. The initial data collection phase collects DNS logs per domain in a manner that permits scanning for long periods of time, and is thus capable of dealing with "low and slow" attacks. The second phase extracts features based on the querying behavior of each domain, and in the last phase an anomaly detection model is used to classify domains based on their use for data exfiltration. As for detection, DNS requests to domains that were classified as being used for data exfiltration will be denied indefinitely.Our method was evaluated on a large-scale recursive DNS server's logs with a peaking high of 47 million requests per hour. Within these DNS logs, we injected data exfiltration traffic from DNS tunneling tools as well as two real-life malware: FrameworkPOS, previously used for the theft of 56M credit cards from Home Depot in 2014, and Backdoor.Win32.Denis, which was active in the Cobalt Kitty APT in 2016. Even when restricting our method to an extremely low false positive rate (i.e., one in fifty thousand domains), it detected all of the above. In addition, the logs are used to compare our system with two recently published methods that focus on detecting DNS tunneling in order to stress the novelty of detecting low throughput exfiltration malware.

show abstract

Section: B Data Exchange Over the Dns Protocolmentioning

confidence: 99%

“…Initial research in the field focused on specific DNS tunneling tools, mainly Iodine. Kara et al [18] analyze the difference in the distribution of TXT resource records requests between popular domains and domains used for tunneling with Iodine. Later versions of Iodine leverage other types of rich resource records (e.g., SRV, NULL).…”

Section: Related Workmentioning

confidence: 99%

Detection of malicious and low throughput data exfiltration over the DNS protocol

Nadler

Aminov

Shabtai

2019

Computers & Security

View full text Add to dashboard Cite

show abstract

“…The use of DNS as a malicious payload distribution channel, e.g. for tunneling, was explored in [28,29]. In the first paper [28], the malicious payload distribution channels are characterized based on the exchange behavior of the DNS request and response messages.…”

Section: Payload Inspectionmentioning

confidence: 99%

“…In the second paper [29], a DNS zone analysis -based approach is introduced. A near real-time detection is achieved by monitoring DNS requests and responses in passive DNS traffic.…”

Section: Payload Inspectionmentioning

confidence: 99%

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

Nuojua

David

Hämäläinen

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Domain Name System (DNS) plays an important role as a translation protocol in everyday use of the Internet. The purpose of DNS is to translate domain names into IP addresses and vice versa. However, its simple architecture can easily be misused for malicious activities. One huge security threat concerning DNS is tunneling, which helps attackers bypass the security systems unnoticed. A DNS tunnel can be used for three purposes: as a command and control channel, for data exfiltration or even for tunneling another protocol through it. In this paper, we surveyed different techniques for DNS tunneling detection. We classified those first based on the type of data and then within the categories based on the type of analysis. We conclude with a comparison between the various detection techniques. We introduce one real Advanced Persistent Threat campaign that utilizes DNS tunneling, and theoretically compare how well the surveyed detection techniques could detect it.

show abstract

“…To detect DNS-based botnet communications, there are some existing research works in the literature [5][6][7][8]. In these research works, they mainly analyzed the DNS traffic obtained from DNS resolvers and statistically considered the possibility of DNS basis botnet communications.…”

Section: Introductionmentioning

confidence: 99%

Detection Method of DNS-based Botnet Communication Using Obtained NS Record History

Ichise

Jin

Iida

2015

2015 IEEE 39th Annual Computer Software and Applications Conference

View full text Add to dashboard Cite

To combat with botnet, early detection of the botnet communication and fast identification of the bot-infected PCs is very important for network administrators. However, in DNS protocol, which appears to have been used for botnet communication recently, it is difficult to differentiate the ordinary domain name resolution and suspicious communication.Our key idea is that the most of domain name resolutions first obtain the corresponding NS (Name Server) record from authoritative name servers in the Internet, whereas suspicious communication may omit the procedures to hide their malicious activities. Based on this observation, we propose a detection method of DNS basis botnet communication using obtained NS record history. Our proposed method checks whether the destined name server (IP address) of a DNS query is included in the obtained NS record history to detect the botnet communications.

show abstract

Detection of malicious payload distribution channels in DNS

Cited by 40 publications

References 9 publications

Detection of malicious and low throughput data exfiltration over the DNS protocol

Detection of malicious and low throughput data exfiltration over the DNS protocol

DNS Tunneling Detection Techniques – Classification, and Theoretical Comparison in Case of a Real APT Campaign

Detection Method of DNS-based Botnet Communication Using Obtained NS Record History

Contact Info

Product

Resources

About