Leveraging client-side DNS failure patterns to identify malicious behaviors

Pengkui Luo, Ruben Torres, Zhi-Li Zhang, Sabyasachi Saha, Sung Ju Lee, Antonio Nucci, Marco Mellia

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Scopus citations

Abstract

DNS has been increasingly abused by adversaries for cyber-attacks. Recent research has leveraged DNS failures (i.e. DNS queries that result in a Non-Existent-Domain response from the server) to identify malware activities, especially domain-flux botnets that generate many random domains as a rendezvous technique for command-and-control. Using ISP network traces, we conduct a systematic analysis of DNS failure characteristics, with the goal of uncovering how attackers exploit DNS for malicious activities. In addition to DNS failures generated by domain-flux bots, we discover many diverse and stealthy failure patterns that have received little attention. Based on these findings, we present a framework that detects diverse clusters of suspicious domain names that cause DNS failures, by considering multiple types of syntactic as well as temporal patterns. Our evolutionary learning framework evaluates the clusters produced over time to eliminate spurious cases while retaining sustaining (i.e., highly suspicious) clusters. One of the advantages of our framework is in analyzing DNS failures on per-client basis and not hinging on the existence of multiple clients infected by the same malware. Our evaluation on a large ISP network trace shows that our framework detects at least 97% of the clients with suspicious DNS behaviors, with over 81% precision.

Original languageEnglish (US)
Title of host publication2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages406-414
Number of pages9
ISBN (Electronic)9781467378765
DOIs
StatePublished - Dec 3 2015
Event3rd IEEE International Conference on Communications and Network Security, CNS 2015 - Florence, Italy
Duration: Sep 28 2015Sep 30 2015

Publication series

Name2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015

Other

Other3rd IEEE International Conference on Communications and Network Security, CNS 2015
Country/TerritoryItaly
CityFlorence
Period9/28/159/30/15

Bibliographical note

Funding Information:
Pengkui Luo and Zhi-Li Zhang were supported in part by NSF grants CNS-1117536, CRI-1305237, CNS-1411636 and DTRA grant HDTRA1-14-1-0040 and DoD ARO MURI Award W911NF-12-1-0385.

Publisher Copyright:
© 2015 IEEE.

Fingerprint

Dive into the research topics of 'Leveraging client-side DNS failure patterns to identify malicious behaviors'. Together they form a unique fingerprint.

Cite this