Graduate School and Research Center In communication systems
 
- + print
HomePublicationsEXPOSURE : Finding malicious domains using passive DNS analysis

EXPOSURE : Finding malicious domains using passive DNS analysis

Bilge, Leyla; Kirda, Engin; Kruegel, Christopher; Balduzzi, Marco

NDSS 2011, 18th Annual Network and Distributed System Security Symposium, 6-9 February 2011, San Diego, CA, USA

                                                                EXPOSURE, a system that15 features that we extract from the DNS traffic that allow                               employs large-scale, passive DNS analysis techniques to                               detect domains that are involved in malicious activity. We                               use                               us to characterize different properties of DNS names                               and the ways that they are queried.                               Our experiments with a large, real-world data set consisting                               of 100 billion DNS requests, and a real-life deployment                               for two weeks in an ISP show that our approach is                               scalable and that we are able to automatically identify unknown                               malicious domains that are misused in a variety of                               malicious activity (such as for botnet command and control,                               spamming, and phishing).                                                               The domain name service (DNS) plays an important role                               in the operation of the Internet, providing a two-way mapping                               between domain names and their numerical identifiers.                               Given its fundamental role, it is not surprising that a wide                               variety of malicious activities involve the domain name service                               in one way or another. For example, bots resolve DNS                               names to locate their command and control servers, and                               spam mails contain URLs that link to domains that resolve                               to scam servers. Thus, it seems beneficial to monitor the                               use of the DNS system for signs that indicate that a certain                               name is used as part of a malicious operation.                               In this paper, we introduce                                                                                                                

Document Bibtex

Type:Conference
Language:English
City:San Diego
Country:UNITED STATES
Date:
Department:Networking and Security
Eurecom ref:3281
Copyright: © ISOC. Personal use of this material is permitted. The definitive version of this paper was published in NDSS 2011, 18th Annual Network and Distributed System Security Symposium, 6-9 February 2011, San Diego, CA, USA and is available at :
Bibtex: @inproceedings{EURECOM+3281, year = {2011}, title = {{EXPOSURE} : {F}inding malicious domains using passive {DNS} analysis}, author = {{B}ilge, {L}eyla and {K}irda, {E}ngin and {K}ruegel, {C}hristopher and {B}alduzzi, {M}arco}, booktitle = {{NDSS} 2011, 18th {A}nnual {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium, 6-9 {F}ebruary 2011, {S}an {D}iego, {CA}, {USA} }, address = {{S}an {D}iego, {UNITED} {STATES}}, month = {02}, url = {http://www.eurecom.fr/publication/3281} }
See also:


Syndicate content
Crédits indigen
EURECOM
Campus SophiaTech,
450 Route des Chappes, 06410 Biot FRANCE
Tél. : +33 (0)4 93 00 81 00 - Fax : +33 (0)4 93 00 82 00
GPS: 43.614376, 7.070450‎ / +43° 36' 51.75", +7° 4' 13.62"