Leyla Bilge
Skip Abstract Section
Abstract
A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most promising techniques to detect and blacklist domains involved in malicious activities (e.g., phishing, spam, botnets command-and-control, etc.). EXPOSURE is a system we designed to detect such domains in real time, by applying 15 unique features grouped in four categories.
We conducted a controlled experiment with a large, real-world dataset consisting of billions of DNS requests. The extremely positive results obtained in the tests convinced us to implement our techniques and deploy it as a free, online service. In this article, we present the Exposure system and describe the results and lessons learned from 17 months of its operation. Over this amount of time, the service detected over 100K malicious domains. The statistics about the time of usage, number of queries, and target IP addresses of each domain are also published on a daily basis on the service Web page.
- Alexa. 2009. Alexa web information company. http://www.alexa.com/topsites/.Google Scholar
- Amini, B. 2008. Kraken botnet infiltration. http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration.Google Scholar
- Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N. 2010. Building a dynamic reputation system for DNS. In Proceedings of the 19th Usenix Security Symposium. Google ScholarDigital Library
- Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., and Dagon, D. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the 20th Usenix Security Symposium. Google ScholarDigital Library
- Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D. 2012. From throw-away traffic to bots: Detecting the rise of dga-based malware. In Proceedings of the 21st Usenix Security Symposium. Google ScholarDigital Library
- Basseville, M. and Nikiforov, I. V. 1993. Detection of Abrupt Changes - Theory and Application. Prentice-Hall. Google ScholarDigital Library
- Bayer, U., Kruegel, C., and Kirda, E. 2006. TTAnalyze: A tool for analyzing malware. In Proceedings of the 15th EICAR Conference.Google Scholar
- Berkhin, P. 2002. Survey of clustering data mining techniques. Tech. rep. http://www.cc.gatech.edu/~isbell/classes/reading/papers/berkhin02survey.pdf.Google Scholar
- Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. 2011. Exposure: Finding malicious domains using passive DNS analysis. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS’11).Google Scholar
- Bradley, A. P. 1997. The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recogn. 30, 1145--1159. Google ScholarDigital Library
- Choi, H., Lee, H., and Kim, H. 2007. Botnet detection by monitoring group activities in DNS traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technologies. Google ScholarDigital Library
- Chu, S., Keogh, E., Hart, D., Pazzani, M., and Michael. 2002. Iterative deepening dynamic time warping for time series. In Proceedings of the 2nd SIAM International Conference on Data Mining.Google ScholarCross Ref
- Cova, M. 2013. Wepawet. http://wepawet.iseclab.org/.Google Scholar
- DNS. 2010. DNSBL - Spam database lookup. http://www.dnsbl.info/.Google Scholar
- Domains, M. 2009. Malware domain block list. http://www.malwaredomains.com/.Google Scholar
- ECJ. 2012. ecj20: A java-based evolutionary computation research system. http://cs.gmu.edu/eclab/projects/ecj/.Google Scholar
- Felegyhazi, M., Kreibich, C., and Paxson, V. 2010. On the potential of proactive domain blacklisting. In Proceedings of the 3rd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET’10). Google ScholarDigital Library
- Google. 2010. Google safe browsing. http://www.google.com/tools/firefox/safebrowsing/.Google Scholar
- Holz, T., Gorecki, C., Rieck, K., and Freiling, F. 2008. Measuring and detecting fast-flux service networks. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS’08).Google Scholar
- ISC. 2010. Internet systems consortium. https://sie.isc.org/.Google Scholar
- Keogh, E., Chakrabarti, K., Pazzani, M., and Mehrotra, S. 2001. Locally adaptive dimensionality reduction for indexing large time series databases. In Proceedings of the ACM SIGMOD Conference on Management of Data (SIGMOD’01). 151--162. Google ScholarDigital Library
- Konte, M., Feamster, N., and Jung, J. 2009. Dynamics of online scam hosting infrastructure. In Proceedings of the Passive and Active Measurement Conference. Google ScholarDigital Library
- List, M. D. 2009a. Malware domains list. http://www.malwaredomainlist.com/mdl.php.Google Scholar
- List, Z. B. 2009b. Zeus domain blocklist. https://zeustracker.abuse.ch/blocklist.php?download=Domainblocklist.Google Scholar
- Ma, J., Saul, L. K., Savage, S., and Voelker, G. M. 2009. Beyond blacklists: Learning to detect malicious web sites from suspicious urls. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’09). 1245--1254. Google ScholarDigital Library
- McAfee. 2010. McAfee siteadvisor. http://www.siteadvisor.com/.Google Scholar
- Nazario, J. and Holz, T. 2008. As the net churns: Fast-flux botnet observations. In Proceedings of the International Conference on Malicious and Unwanted Software.Google Scholar
- Norton. 2010. Norton safe web. http://safeweb.norton.com/.Google Scholar
- Open Graph. 2013. The open graph viz platform. https://gephi.org.Google Scholar
- Passerini, E., Paleari, R., Martignoni, L., and Bruschi, D. 2008. Fluxor: Detecting and monitoring fast-flux service networks. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08). Google ScholarDigital Library
- Perdisci, R., Corona, I., Dagon, D., and Lee, W. 2009. Detecting malicious flux service networks through passive analysis of recursive dns traces. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC’09). Google ScholarDigital Library
- Phishtank. 2009. Phishtank. http://www.phishtank.com/.Google Scholar
- Porras, P., Saidi, H., and Yegneswaran, V. 2009. A foray into conficker’s logic and rendezvous points. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats. Google ScholarDigital Library
- Quinlan, J. 1995. Learning with continuous classes. In Proceedings of the 5th Australian Joint Conference on Artificial Intelligence. World Scientific. 343--348.Google Scholar
- RFC. 1995. RFC 1794 - DNS support for load balancing. http://tools.ietf.org/html/rfc1794.Google Scholar
- RFC. 1996. RFC 1912 - Common dns operational and configuration errors. http://www.faqs.org/rfcs/rfc1912.html.Google Scholar
- Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the ACM Conference on Computer and Communication Security (CCS’09). Google ScholarDigital Library
- Symantec. 2011. Symantec threat report. http://www.symantec.com/business/theme.jsp?themeid=threatreport.Google Scholar
- Theodoridis, S. and Koutroumbas, K. 2009. Pattern Recognition. Academic Press. Google ScholarDigital Library
- Turaga, D., Vlachos, M., and Verscheure, O. 2009. On k-means cluster preservation using quantization schemes. In Proceedings of the IEEE International Conference on Data Mining (ICDM’09). Google ScholarDigital Library
- Villamarn-Salomn, R. and Brustoloni, J. C. 2009. Bayesian bot detection based on dns traffic similarity. In Proceedings of the ACM Symposium on Applied Computing (SAC’09). Google ScholarDigital Library
- Weimer, F. 2005. Passive DNS replication. In Proceedings of the 1st Conference on Computer Security Incident.Google Scholar
- WHOIS. 1995. RFC1834 - Whois and network information lookup service, whois++. http://www.faqs.org/rfcs/rfc1834.html.Google Scholar
- Witten, I. and Frank, E. 2005. Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, San Fransisco, CA. Google ScholarDigital Library
- Wolf, J. 2008. Technical details of srizbis domain generation algorithm. http://tinyurl.com/6mdasc.Google Scholar
- Zdrnja, B., Brownlee, N., and Wessels, D. 2007. Passive monitoring of dns anomalies. In Proceedings of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’07). 129--139. Google ScholarDigital Library
- Zitouni, H., Sevil, S., Ozkan, D., and Duygulu, P. 2008. Re-ranking of image search results using a graph algorithm. In Proceedings of the 9th International Conference on Pattern Recognition.Google Scholar
Index Terms
- Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains
Recommendations
Following Passive DNS Traces to Detect Stealthy Malicious Domains Via Graph Inference
Malicious domains, including phishing websites, spam servers, and command and control servers, are the reason for many of the cyber attacks nowadays. Thus, detecting them in a timely manner is important to not only identify cyber attacks but also take ...
Discovering Malicious Domains through Passive DNS Data Graph Analysis
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications SecurityMalicious domains are key components to a variety of cyber attacks. Several recent techniques are proposed to identify malicious domains through analysis of DNS data. The general approach is to build classifiers based on DNS-related local domain ...
Malware detection using DNS records and domain name features
ICFNDS '18: Proceedings of the 2nd International Conference on Future Networks and Distributed SystemsAs billions of people depend on Internet application to perform day to day tasks, the prevalent of malwares and online attacks cause a huge loss to global Internet economy prevalent. Domain name system is one of the core components of the Internet, ...
Comments