DNSSM: A large scale passive DNS security monitoring framework

Marchal, Samuel; Jérôme, François; Wagner, Cynthia; State, Radu; Dulaunoy, Alexandre; Engel, Thomas; Festor, Olivier

doi:10.1109/noms.2012.6212019

Cited by 19 publications

(14 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Marchal, et al in their work suggest the following features: the number of unique records address, the rate of growth in the number of unique addresses, time of life of the records, the number of unique records of name servers address as well as additional features related to the domain name: similarity of the domain names with the dictionary, the similarity of certain elements of the domain with valid domain names [26]. The work has proposed a new concept for the evaluation of the domain name.…”

Section: Related Workmentioning

confidence: 99%

“…This set of data was manually classified to provide D CDN ' and D BOT ' sets. [20,21,27] No No No Medium Large F2 Place of domain registration (country) [20] Yes No Yes Small Small F3 Number of subdomains in the domain [26] Yes No Yes Medium Large F4 The domain name according to dictionary [26,30,32] Yes No Can Large Small F5 The similarity of certain elements of the domain name with a valid domain name [26,30,33] Yes No Yes Medium Large F6 Numbers in domain names [27] Yes No Yes Small Small F7 The length of the longest word in the domain name [27] Yes No Yes Small Small F8 Number and duration of the connection [26] No No Yes Large Large F9 Similar daily behavior of the domain [27,32] No No Yes Large Large F10 Recurring cycles of query to the authoritative server [28] No The summary set of data used for experimental setup is given by:…”

Section: Evaluation Of Feature Characteristicsmentioning

confidence: 99%

“…Feature F4 empowers corrections based on the domain name by performing a similarity check against the database of known words from a controlled dictionary [26]. This feature has several significant shortcomings.…”

Section: Classification Improvement Based On Search Hitsmentioning

confidence: 99%

See 2 more Smart Citations

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

2018

View full text Add to dashboard Cite

Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in an embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of IDS.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Evaluation Of Feature Characteristicsmentioning

confidence: 99%

See 1 more Smart Citation

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

2018

View full text Add to dashboard Cite

show abstract

“…This approach is used by [4,11,12] for the detection of botnets based on the same DNS behaviour of devices, abnormal DNS traffic or malicious domain usage. This type of data can be also used for an intrusion detection system based on DNS traffic monitoring which was introduced in [18].…”

Section: Related Workmentioning

confidence: 99%

Detection of DNS Traffic Anomalies in Large Networks

Čermák

Čeleda

Vykopal

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Almost every Internet communication is preceded by a translation of a DNS name to an IP address. Therefore monitoring of DNS traffic can effectively extend capabilities of current methods for network traffic anomaly detection. In order to effectively monitor this traffic, we propose a new flow metering algorithm that saves resources of a flow exporter. Next, to show benefits of the DNS traffic monitoring for anomaly detection, we introduce novel detection methods using DNS extended flows. The evaluation of these methods shows that our approach not only reveals DNS anomalies but also scales well in a campus network.

show abstract

“…In [9], we present the first steps of our work showing the utility of DNS features in the identification of domain activities. This presents a passive DNS security monitoring framework called DNSSM whose architecture for DNS data capture (see Figure 1) is based on the technique of Weimer [14].…”

Section: Early Phase Of Researchmentioning

confidence: 99%

Large Scale DNS Analysis

Marchal

Engel

2012

Dependable Networks and Services

View full text Add to dashboard Cite

Abstract. In this paper we present an architecture for large scale DNS monitoring. The analysis of DNS traffic is becoming of first importance currently, as it allows to monitor the main part of the interactions on the Internet. DNS traffic can reveal anomalies such as worm infected hosts, botnets or spam participating hosts. The efficiency and the speed of detection of such anomalies rely on the capacity of DNS monitoring system to treat quickly huge quantity of data. We propose a system that leverages distributed processing and storage facilities.

show abstract

DNSSM: A large scale passive DNS security monitoring framework

Cited by 19 publications

References 9 publications

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

Detection of DNS Traffic Anomalies in Large Networks

Large Scale DNS Analysis

Contact Info

Product

Resources

About