DNS-ADVP: A Machine Learning Anomaly Detection and Visual Platform to Protect Top-Level Domain Name Servers Against DDoS Attacks

Abstract: DNS DDoS attacks may severely affect the operation of computer networks, prompting the need for methods able to timely detect them, and then to apply mitigation countermeasures. Visual models have been used to detect an ongoing DDoS attack, but often demand continuous attention from IT staff. However, machine learning techniques could complement a visual model with further information and with on-time alerts that could help IT officers give attention only when an attack is in progress at its very early stage. … Show more

“…Developing detection methods for cyber security can be divided broadly into two main approaches: signature-based detection [21]- [23] and anomaly-based detection [7], [15], [24]- [27]. To identify malicious domains, detection methods typically use DNS data, as considered in this paper.…”

“…However, due to caching at the recursive resolver level, not all queries will be visible to that server. The DNS-ADVP platform [7] analyzes passive DNS records from an Authoritative DNS server to identify DDoS (Distributed Denial of Service) attacks against Top-Level domains. The Kopis system [12] passively monitors DNS traffic at the upper levels of the DNS hierarchy (Authoritative servers and TLDs) to detect malware domains using the global visibility obtained by monitoring network traffic at the upper DNS hierarchy without relying on monitoring traffic from local recursive DNS servers.…”

“…One is to initiate queries to a predetermined large collection of domains to obtain the domain resolution responses [18]. The other is to collect the requests and their responses initiated by clients passively [7], [12]- [14], [20]. The first approach is known as active DNS data collection, and the latter is called passive DNS data collection.…”

“…Another approach to achieve ground truth on malicious behavior is to simulate attacks. In [7], the authors created synthetic DDoS attacks over different time frames to test their DDoS attack classifier.…”

“…Since DNS is ubiquitous across the internet, DNS services have been abused in different ways to execute a range of attacks [1]. An attacker can exploit a set of domains to carry out complex attacks, while targeting users and organizations through malware related campaigns such as phishing [2]- [4], pharming [5], [6], and Distributed Denial of Service (DDoS) attacks using a multitude of botnets [7], [8]. One notorious example is the Dyn DDoS cyberattack by the Mirai botnet in 2016 [9].…”

IMDoC: Identification of Malicious Domain Campaigns via DNS and Communicating Files

“…Developing detection methods for cyber security can be divided broadly into two main approaches: signature-based detection [21]- [23] and anomaly-based detection [7], [15], [24]- [27]. To identify malicious domains, detection methods typically use DNS data, as considered in this paper.…”

“…However, due to caching at the recursive resolver level, not all queries will be visible to that server. The DNS-ADVP platform [7] analyzes passive DNS records from an Authoritative DNS server to identify DDoS (Distributed Denial of Service) attacks against Top-Level domains. The Kopis system [12] passively monitors DNS traffic at the upper levels of the DNS hierarchy (Authoritative servers and TLDs) to detect malware domains using the global visibility obtained by monitoring network traffic at the upper DNS hierarchy without relying on monitoring traffic from local recursive DNS servers.…”

“…One is to initiate queries to a predetermined large collection of domains to obtain the domain resolution responses [18]. The other is to collect the requests and their responses initiated by clients passively [7], [12]- [14], [20]. The first approach is known as active DNS data collection, and the latter is called passive DNS data collection.…”

“…Another approach to achieve ground truth on malicious behavior is to simulate attacks. In [7], the authors created synthetic DDoS attacks over different time frames to test their DDoS attack classifier.…”

“…Since DNS is ubiquitous across the internet, DNS services have been abused in different ways to execute a range of attacks [1]. An attacker can exploit a set of domains to carry out complex attacks, while targeting users and organizations through malware related campaigns such as phishing [2]- [4], pharming [5], [6], and Distributed Denial of Service (DDoS) attacks using a multitude of botnets [7], [8]. One notorious example is the Dyn DDoS cyberattack by the Mirai botnet in 2016 [9].…”

IMDoC: Identification of Malicious Domain Campaigns via DNS and Communicating Files

Utilizing Deep Belief Network for Ensuring Privacy-Preserved Access Control of Data

A Machine Learning Based Approach for Detection of Distributed Denial of Service Attacks