EXPOSURE : Finding malicious domains using passive DNS analysis

Bilge, Leyla; Kirda, Engin; Kruegel, Christopher; Balduzzi, Marco
NDSS 2011, 18th Annual Network and Distributed System Security Symposium, 6-9 February 2011, San Diego, CA, USA

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

EXPOSURE, a system that15 features that we extract from the DNS traffic that allow

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

employs large-scale, passive DNS analysis techniques to

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

detect domains that are involved in malicious activity. We

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

use

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

us to characterize different properties of DNS names

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

and the ways that they are queried.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Our experiments with a large, real-world data set consisting

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

of 100 billion DNS requests, and a real-life deployment

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

for two weeks in an ISP show that our approach is

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

scalable and that we are able to automatically identify unknown

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

malicious domains that are misused in a variety of

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

malicious activity (such as for botnet command and control,

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

spamming, and phishing).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The domain name service (DNS) plays an important role

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

in the operation of the Internet, providing a two-way mapping

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

between domain names and their numerical identifiers.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Given its fundamental role, it is not surprising that a wide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

variety of malicious activities involve the domain name service

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

in one way or another. For example, bots resolve DNS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

names to locate their command and control servers, and

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

spam mails contain URLs that link to domains that resolve

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

to scam servers. Thus, it seems beneficial to monitor the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

use of the DNS system for signs that indicate that a certain

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

name is used as part of a malicious operation.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In this paper, we introduce

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Type:
Conférence
City:
San Diego
Date:
2011-02-06
Department:
Sécurité numérique
Eurecom Ref:
3281
Copyright:
© ISOC. Personal use of this material is permitted. The definitive version of this paper was published in NDSS 2011, 18th Annual Network and Distributed System Security Symposium, 6-9 February 2011, San Diego, CA, USA and is available at :

PERMALINK : https://www.eurecom.fr/publication/3281