Ecole d'ingénieur et centre de recherche en Sciences du numérique

EXPOSURE: a passive DNS analysis service to detect and report malicious domains

Bilge, Leyla; Sen, Sevil; Balzarotti, Engin Kirda, Christopher Kruegel

ACM Transactions on Information and System Security (TISSEC), Volume 16, N°4, April 2014, ISSN: 1094-9224

A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most promising technique to detect and blacklist domains involved in malicious activities (e.g., phishing, SPAM, botnets command and control, etc.). EXPOSURE is a system we designed to detect such domains in realtime, by applying 15 unique features grouped in 4 categories. We conducted a controlled experiment with a large, real-world data set consisting of billions of DNS requests. The extremely positive results obtained in the tests convinced us to implement our techniques and deploy it as a free, online service. In this paper, we present the EXPOSURE system and describe the results and the lessons learned from 17 months of operation of it. Over this amount of time, the service detected over 100K malicious domains. The statistics about the time of usage, number of queries, and target IP addresses of each domain are also published on a daily basis on the service webpage.

Document Doi Bibtex

Titre:EXPOSURE: a passive DNS analysis service to detect and report malicious domains
Mots Clés:Security, Measurement, Experimentation, Domain Name System, malicious domains, machine learning
Type:Journal
Langue:English
Ville:
Date:
Département:Sécurité numérique
Eurecom ref:4209
Copyright: © ACM, 2014. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Transactions on Information and System Security (TISSEC), Volume 16, N°4, April 2014, ISSN: 1094-9224 http://dx.doi.org/10.1145/2584679
Bibtex: @article{EURECOM+4209, doi = {http://dx.doi.org/10.1145/2584679}, year = {2014}, month = {01}, title = {{EXPOSURE}: a passive {DNS} analysis service to detect and report malicious domains}, author = {{B}ilge, {L}eyla and {S}en, {S}evil and {B}alzarotti, {E}ngin {K}irda, {C}hristopher {K}ruegel}, journal = {{ACM} {T}ransactions on {I}nformation and {S}ystem {S}ecurity ({TISSEC}), {V}olume 16, {N}°4, {A}pril 2014, {ISSN}: 1094-9224 }, url = {http://www.eurecom.fr/publication/4209} }
Voir aussi: