DNS has been increasingly abused by adversaries for cyber-attacks. Recent research has leveraged DNS failures (i.e. DNS queries that result in a Non-Existent-Domain response from the server) to identify malware activities, especially domain-flux botnets that generate many random domains as a rendezvous technique for command-and-control. Using ISP network traces, we conduct a systematic analysis of DNS failure characteristics, with the goal of uncovering how attackers exploit DNS for malicious activities. In addition to DNS failures generated by domain-flux bots, we discover many diverse and stealthy failure patterns that have received little attention. Based on these findings, we present a framework that detects diverse clusters of suspicious domain names that cause DNS failures, by considering multiple types of syntactic as well as temporal patterns. Our evolutionary learning framework evaluates the clusters produced over time to eliminate spurious cases while retaining sustaining (i.e., highly suspicious) clusters. One of the advantages of our framework is in analyzing DNS failures on per-client basis and not hinging on the existence of multiple clients infected by the same malware. Our evaluation on a large ISP network trace shows that our framework detects at least 97% of the clients with suspicious DNS behaviors, with over 81% precision.
|Original language||English (US)|
|Title of host publication||2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015|
|Publisher||Institute of Electrical and Electronics Engineers Inc.|
|Number of pages||9|
|State||Published - Dec 3 2015|
|Event||3rd IEEE International Conference on Communications and Network Security, CNS 2015 - Florence, Italy|
Duration: Sep 28 2015 → Sep 30 2015
|Name||2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015|
|Other||3rd IEEE International Conference on Communications and Network Security, CNS 2015|
|Period||9/28/15 → 9/30/15|
Bibliographical noteFunding Information:
Pengkui Luo and Zhi-Li Zhang were supported in part by NSF grants CNS-1117536, CRI-1305237, CNS-1411636 and DTRA grant HDTRA1-14-1-0040 and DoD ARO MURI Award W911NF-12-1-0385.
© 2015 IEEE.