NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking

Ichise, Hikaru; Jin, Yong; Iida, Katsuyoshi; Takai, Yoshiaki

doi:10.2197/ipsjjip.28.112

Cited by 8 publications

(8 citation statements)

References 15 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Before the latency evaluation, we stored the destination IP addresses of the public DNS servers "8.8.8.8" and "1.1.1.1" to the DNS RPZ as legitimate in order to compare the latency of conventional domain name resolution. Furthermore, we also set up the previous system [12], [13] which used MySQL database in order to compare the latency with the proposed system using the DNS RPZ. As shown in Table 3, in the case of using the conventional DNS full resolver (172.16.100.13), the average latency for ten times of domain name resolution was 3,409.6ms in the previous system used MySQL database while that in the proposed system using the DNS RPZ was 2,406.4ms.…”

Section: Discussionmentioning

confidence: 99%

“…If the destination IP addresses are stored in the DNS RPZ the DNS query will be passed through, otherwise, the DNS query will be blocked. In the previous system [12], [13], we used MySQL database to store the DNS NS records and the glue A records. Accordingly, the destination IP address of each direct outbound DNS query needs to be verified by accessing the MySQL database using TCP connection which may cause unnecessary overhead.…”

Section: Designmentioning

confidence: 99%

“…Based on the above observation, we have ever considered and investigated the detection and blocking system for the botnet communication based on monitoring the direct outbound DNS queries by using NS record history database, which store NS records and the corresponding glue A records and verifies every direct outbound DNS query [12], [13]. Particularly, we created a database that stores the NS records and the corresponding glue A records in order to differentiate the normal and abnormal direct outbound DNS queries.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

2022

Proceedings of 2022 the 12th International Workshop on Computer Science and Engineering

View full text Add to dashboard Cite

Bot-infected computers sending direct outbound DNS queries without obtaining the information of authoritative DNS servers from the DNS full resolvers set up in the internal network have become a critical security issue nowadays. In DNS protocol, the domain name resolution process obtains the information of necessary authoritative DNS name servers (NS records) at the beginning and then achieves the answers of the original DNS queries which is accomplished via the DNS full-service resolvers. However, some types of bot programs violate the DNS protocol process and send the direct outbound DNS queries to its Command and Control (C&C) servers (malicious DNS servers) for bot communication. We have investigated the detection and blocking the direct outbound DNS queries by using MySQL at an early stage. However, the network latency was arising as a critical issue. In this advanced research, we propose a policybased detection and blocking system for abnormal direct outbound DNS queries using DNS Response Policy Zones (DNS RPZ) in order to solve the issues. In this paper, we describe the design of the proposed system and introduce an implemented prototype system. In addition, we also describe the preliminary evaluation results per feature of the proposed system conducted on the prototype, and finally, we introduce the tasks planed for future work.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Designmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

2022

Proceedings of 2022 the 12th International Workshop on Computer Science and Engineering

View full text Add to dashboard Cite

show abstract

“…Security threats take different forms, but one of these form is taking the advantage of domain name system (DNS) protocol for passing dangerous and malicious procedures, this attack attempt is known as DNS tunneling [1]. DNS is characterized by its simplicity where it intends to offer a straightforward way for accessing particular server through the domain name instead of the IP address [2][3][4][5]. Because of its simplicity, attackers attempt to use it for creating a tunnel to execute malicious scripts that intended to capture confidential information, gaining a super access, or attempting to harm the server [6].…”

Section: Introductionmentioning

confidence: 99%

A hybrid method of genetic algorithm and support vector machine for DNS tunneling detection

Al-Ibraheemi

AL-Ibraheemi²,

Amintoosi

2021

IJECE

View full text Add to dashboard Cite

With the expansion of the business over the internet, corporations nowadays are investing numerous amounts of money in the web applications. However, there are different threats could make the corporations vulnerable for potential attacks. One of these threats is harnessing the domain name protocol for passing harmful information, this kind of threats is known as DNS tunneling. As a result, confidential information would be exposed and violated. Several studies have investigated the machine learning in order to propose a detection approach. In their approaches, authors have used different and numerous types of features such as domain length, number of bytes, content, volume of DNS traffic, number of hostnames per domain, geographic location and domain history. Apparently, there is a vital demand to accommodate feature selection task in order to identify the best features. This paper proposes a hybrid method of genetic algorithm feature selection approach with the support vector machine classifier for the sake of identifying the best features that have the ability to optimize the detection of DNS tunneling. To evaluate the proposed method, a benchmark dataset of DNS tunneling has been used. Results showed that the proposed method has outperformed the conventional SVM by achieving 0.946 of f-measure

show abstract

“…With the rapid development of the internet, the network is becoming an indispensable part of people's daily study and work, bringing great convenience to people's production and life. The security problems in the network, however, are becoming more and more prominent, the spread of Trojan horses, 1 viruses, 2 malware, 3 and so forth is becoming increasingly widespread, and the means of network attacks are becoming increasingly advanced and hidden, 4 which affects not only the stable operation of the network but also national security 5 ; therefore, network security has become an increasingly important issue. Network traffic contains a large amount of information, and it is of great importance to protect network security if abnormal traffic can be detected in time.…”

Section: Introductionmentioning

confidence: 99%

A study of detection of abnormal network traffic: A comparison of multiple algorithms

2021

Security and Privacy

View full text Add to dashboard Cite

The detection of abnormal traffic in networks is of great value for maintaining network security. This article gives a brief introduction of abnormal traffic and compares the performance of three algorithms, the support vector domain description algorithm, the gradient boosting decision tree algorithm, and the extreme learning machine-k-nearest neighbor (ELM-KNN) algorithm. Experiments were carried out on the NSL-KDD dataset. It was found that the accuracies of the three algorithms were 0.8327, 0.8679, and 0.9468, the recall rates were 0.6764, 0.7236, and 0.8997, the F1-scores were 0.7898, 0.8364, and 0.9578, and the false alarm rates were 0.3236, 0.2764, and 0.1003. The running time of the ELM-KNN algorithm was far less than the other two algorithms. The experimental results verify the effectiveness of the ELM-KNN algorithm in abnormal network traffic detection. The ELM-KNN algorithm can be further promoted and applied in practice.

show abstract

NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking

Cited by 8 publications

References 15 publications

Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

A hybrid method of genetic algorithm and support vector machine for DNS tunneling detection

A study of detection of abnormal network traffic: A comparison of multiple algorithms

Contact Info

Product

Resources

About