Nizar Kheir scite author profile

A recent trend both in academia and industry is to explore the use of deception techniques to achieve proactive attack detection and defense—to the point of marketing intrusion deception solutions as zero-false-positive intrusion detection. However, there is still a general lack of understanding of deception techniques from a research perspective, and it is not clear how the effectiveness of these solutions can be measured and compared with other security approaches. To shed light on this topic, we introduce a comprehensive classification of existing solutions and survey the current application of deception techniques in computer security. Furthermore, we discuss the limitations of existing solutions, and we analyze several open research directions, including the design of strategies to help defenders to design and integrate deception within a target architecture, the study of automated ways to deploy deception in complex systems, the update and re-deployment of deception, and, most importantly, the design of new techniques and experiments to evaluate the effectiveness of the existing deception techniques.

show abstract

Mentor: Positive DNS Reputation to Skim-Off Benign Domains in Botnet C&C Blacklists

Kheir

Tran

Caron

et al. 2014

View full text Add to dashboard Cite

The Domain Name System (DNS) is an essential infrastructure service on the internet. It provides a worldwide mapping between easily memorizable domain names and numerical IP addresses. Today, legitimate users and malicious applications use this service to locate content on the internet. Yet botnets increasingly rely on DNS to connect to their command and control servers. A widespread approach to detect bot infections inside corporate networks is to inspect DNS traffic using domain C&C blacklists. These are built using a wide range of techniques including passive DNS analysis, malware sandboxing and web content filtering. Using DNS to detect botnets is still an error-prone process; and current blacklist generation algorithms often add innocuous domains that lead to a large number of false positives during detection. This paper presents a new system called Mentor. It implements a scalable, positive DNS reputation system that automatically removes benign entries within a blacklist of botnet C&C domains. Mentor embeds a crawler system that collects statistical features about a suspect domain name, including both web content and DNS properties. It applies supervised learning to a labeled set of known benign and malicious domain names, using its features set in order to build a DNS pruning model. It further processes domain blacklists using this model in order to skim-off benign domains and keep only true malicious domains for detection. We tested our system against a wide set of public botnet blacklists. Experimental results prove the ability of this system to efficiently detect and remove benign domain names with a very low false positives rate.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Nizar Kheir

A Service Dependency Model for Cost-Sensitive Intrusion Response

Internet of Things: A Definition & Taxonomy

Deception Techniques in Computer Security

Mentor: Positive DNS Reputation to Skim-Off Benign Domains in Botnet C&C Blacklists

Contact Info

Product

Resources

About

Nizar Kheir

A Service Dependency Model for Cost-Sensitive Intrusion Response

Internet of Things: A Definition &amp; Taxonomy

Deception Techniques in Computer Security

Mentor: Positive DNS Reputation to Skim-Off Benign Domains in Botnet C&C Blacklists

Contact Info

Product

Resources

About

Internet of Things: A Definition & Taxonomy