Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic

Lombardo, Pierangelo; Saeli, Salvatore; Bisio, Federica; Bernardi, Davide; Massa, Danilo

doi:10.1007/978-3-319-99136-8_25

Cited by 7 publications

(4 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Latest works in the area of DNS tunneling detection mainly cover three main categories, i.e., detection approaches via machine learning, real-time detection approaches, and detection of DNS tunneling variants (e.g., fast flux [9] and domain generation algorithms (DGAs) [8]).…”

Section: Related Workmentioning

confidence: 99%

“…Thus, by abusing legitimate network traffic protocols, like DNS [7], the attacker maximizes the time in which the infection remains undetected. In this work, we rely on a commercial network security monitoring platform for detecting and investigating potentially malicious or anomalous activities [8][9][10][11], but the proposed solution can be easily integrated into any network security monitoring platform able to provide network flow information along with its metadata. The platform we employ is responsible for collecting, processing network flows, and dispatching them to one or more advanced cybersecurity analytics (ACAs) which are able to recognize the signals of possible occurring attacks and anomalies.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Towards a Near-Real-Time Protocol Tunneling Detector Based on Machine Learning Techniques

Sobrero,

Clavarezza,

Ucci

et al. 2023

JCP

Self Cite

View full text Add to dashboard Cite

In the very recent years, cybersecurity attacks have increased at an unprecedented pace, becoming ever more sophisticated and costly. Their impact has involved both private/public companies and critical infrastructures. At the same time, due to the COVID-19 pandemic, the security perimeters of many organizations expanded, causing an increase in the attack surface exploitable by threat actors through malware and phishing attacks. Given these factors, it is of primary importance to monitor the security perimeter and the events occurring in the monitored network, according to a tested security strategy of detection and response. In this paper, we present a protocol tunneling detector prototype which inspects, in near real-time, a company’s network traffic using machine learning techniques. Indeed, tunneling attacks allow malicious actors to maximize the time in which their activity remains undetected. The detector monitors unencrypted network flows and extracts features to detect possible occurring attacks and anomalies by combining machine learning and deep learning. The proposed module can be embedded in any network security monitoring platform able to provide network flow information along with its metadata. The detection capabilities of the implemented prototype have been tested both on benign and malicious datasets. Results show an overall accuracy of 97.1% and an F1-score equal to 95.6%.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Towards a Near-Real-Time Protocol Tunneling Detector Based on Machine Learning Techniques

Sobrero,

Clavarezza,

Ucci

et al. 2023

JCP

Self Cite

View full text Add to dashboard Cite

show abstract

“…By training Machine Learning models on large datasets of known FFSNs, researchers can develop models that can accurately detect FFSNs in real-time (Caglayan et al, 2009;Lombardo et al, 2018).…”

Section: State Of the Artmentioning

confidence: 99%

A Generic Architecture for Building a Domain Name Reputation System

Rotuna¹,

GHEORGHIȚĂ²,

SANDU³

et al. 2023

SIC

View full text Add to dashboard Cite

Due to the significant increase in the number of newly registered domains (nearly 100 million in a year), and to the rise in the number of malicious domains that pose a threat to DNS servers, there is a need for an automated monitoring solution for evaluating the reputation of a domain name. This paper aims to present the architecture of an automatic monitoring platform, which could dynamically establish the reputation level for each .ro domain, and also for other domains. The primary objective of this paper is to enhance the trustworthiness of .ro domains against malicious activities in the Internet space through automatic monitoring and by offering solutions for data protection. If the reputation level of a .ro domain is determined, its future owners (including authorities, public institutions, private companies, natural persons, etc.) could have a clear understanding of the degree of trust associated with that domain, thereby creating a safer online environment.

show abstract

“…As an example, in Kitsune [113] rate from below 1% to over 95% while maintaining a low false positive rate (below 0.1%). The advantages of unsupervised ML methods make them suitable for commercial products: as an example, the method in [105] is used by Aizoon 11 to support botnet detection via DNS analyses, achieving less than 0.1% false positive rate. Our detailed case study in §7.1 presents the deployment of unsupervised ML used by Montimage to detect anomalous activities in a modern network.…”

Section: Machine Learning In Network Intrusion Detectionmentioning

confidence: 99%

The Role of Machine Learning in Cybersecurity

Apruzzese,

Laskov,

de Oca

et al. 2022

Preprint

View full text Add to dashboard Cite

Machine Learning (ML) represents a pivotal technology for current and future information systems, and many domains already leverage the capabilities of ML. However, deployment of ML in cybersecurity is still at an early stage, revealing a significant discrepancy between research and practice. Such discrepancy has its root cause in the current state-of-the-art, which does not allow to identify the role of ML in cybersecurity. The full potential of ML will never be unleashed unless its pros and cons are understood by a broad audience.This paper is the first attempt to provide a holistic understanding of the role of ML in the entire cybersecurity domain-to any potential reader with an interest in this topic. We highlight the advantages of ML with respect to human-driven detection methods, as well as the additional tasks that can be addressed by ML in cybersecurity. Moreover, we elucidate various intrinsic problems affecting real ML deployments in cybersecurity. Finally, we present how various stakeholders can contribute to future developments of ML in cybersecurity, which is essential for further progress in this field. Our contributions are complemented with two real case studies describing industrial applications of ML as defense against cyber-threats.

show abstract

Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic

Cited by 7 publications

References 14 publications

Towards a Near-Real-Time Protocol Tunneling Detector Based on Machine Learning Techniques

Towards a Near-Real-Time Protocol Tunneling Detector Based on Machine Learning Techniques

A Generic Architecture for Building a Domain Name Reputation System

The Role of Machine Learning in Cybersecurity

Contact Info

Product

Resources

About