Graph theoretical models of DNS traffic

Deri, Luca; Mainardi, Simone; Martinelli, Maurizio; Gregori, Enrico

doi:10.1109/iwcmc.2013.6583721

Cited by 8 publications

(5 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Internet traffic volume distribution over domains follows a power-law [69], i.e., the Alexa top domains accumulate a large fraction of the overall internet traffic. Thus, blocking those domains not only has large collateral damage in terms of number of webs, but also traffic volume.…”

Section: Censor Dns-blocking Strategymentioning

confidence: 99%

Encrypted DNS --> Privacy? A Traffic Analysis Perspective

Siby

Juárez

Díaz

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Virtually every connection to an Internet service is preceded by a DNS lookup. These lookups are performed in the clear without integrity protection, enabling manipulation, redirection, surveillance, and censorship. In parallel with standardization efforts that address these issues, large providers such as Google and Cloudflare are deploying solutions to encrypt lookups, such as DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). In this paper we examine whether encrypting DoH traffic can protect users from traffic analysis-based monitoring and censoring. We find that performing traffic analysis on DoH traces requires different features than those used to attack HTTPS or Tor traffic. We propose a new feature set tailored to the characteristics of DoH traffic. Our classifiers obtain an F1-score of 0.9 and 0.7 in closed and open world settings, respectively. We show that although factors such as location, resolver, platform, or client affect performance, they are far from completely deterring the attacks. We then study deployed countermeasures and show that, in contrast with web traffic, Tor effectively protects users. Specified defenses, however, still preserve patterns and leave some webs unprotected. Finally, we show that web censorship is still possible by analysing DoH traffic and discuss how to selectively block content with low collateral damage.

show abstract

Section: Censor Dns-blocking Strategymentioning

confidence: 99%

Encrypted DNS --> Privacy? A Traffic Analysis Perspective

Siby

Juárez

Díaz

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…A typical-but by no means unique [24]-DNS graph is undirected and bipartite, connecting fully qualified domain names to their IP addresses [1], [16], [25]. The basic idea remains similar for server-side applications, although these allow further separating the "inside" (origins of queries) and "outside" (targets of queries) traffic passing through DNS servers, routers, or related machinery [26], [27], [28], [29].…”

Section: B Dns Graphs In Briefmentioning

confidence: 99%

Investigating the Agility Bias in DNS Graph Mining

Ruohonen¹,

Leppänen²

2017

2017 IEEE International Conference on Computer and Information Technology (CIT)

View full text Add to dashboard Cite

The concept of agile domain name system (DNS) refers to dynamic and rapidly changing mappings between domain names and their Internet protocol (IP) addresses. This empirical paper evaluates the bias from this kind of agility for DNS-based graph theoretical data mining applications. By building on two conventional metrics for observing malicious DNS agility, the agility bias is observed by comparing bipartite DNS graphs to different subgraphs from which vertices and edges are removed according to two criteria. According to an empirical experiment with two longitudinal DNS datasets, irrespective of the criterion, the agility bias is observed to be severe particularly regarding the effect of outlying domains hosted and delivered via content delivery networks and cloud computing services. With these observations, the paper contributes to the research domains of cyber security and DNS mining. In a larger context of applied graph mining, the paper further elaborates the practical concerns related to the learning of large and dynamic bipartite graphs.

show abstract

“…Similarly, in [ 44 ], the authors propose to use social structures to detect DDoS attack on DNS server, and present some insights about this approach. As another example, [ 45 ] studies the bipartite graph that stems from an ISP network, concluding that these kinds of graphs follow a heavy tailored distribution. Despite being similar, none of these works have exploited IP to domain name interactions to detect flood attacks as we do.…”

Section: Related Workmentioning

confidence: 99%

Mining IP to Domain Name Interactions to Detect DNS Flood Attacks on Recursive DNS Servers

Alonso

Monroy

Trejo

2016

Sensors

View full text Add to dashboard Cite

The Domain Name System (DNS) is a critical infrastructure of any network, and, not surprisingly a common target of cybercrime. There are numerous works that analyse higher level DNS traffic to detect anomalies in the DNS or any other network service. By contrast, few efforts have been made to study and protect the recursive DNS level. In this paper, we introduce a novel abstraction of the recursive DNS traffic to detect a flooding attack, a kind of Distributed Denial of Service (DDoS). The crux of our abstraction lies on a simple observation: Recursive DNS queries, from IP addresses to domain names, form social groups; hence, a DDoS attack should result in drastic changes on DNS social structure. We have built an anomaly-based detection mechanism, which, given a time window of DNS usage, makes use of features that attempt to capture the DNS social structure, including a heuristic that estimates group composition. Our detection mechanism has been successfully validated (in a simulated and controlled setting) and with it the suitability of our abstraction to detect flooding attacks. To the best of our knowledge, this is the first time that work is successful in using this abstraction to detect these kinds of attacks at the recursive level. Before concluding the paper, we motivate further research directions considering this new abstraction, so we have designed and tested two additional experiments which exhibit promising results to detect other types of anomalies in recursive DNS servers.

show abstract

Graph theoretical models of DNS traffic

Cited by 8 publications

References 21 publications

Encrypted DNS --> Privacy? A Traffic Analysis Perspective

Encrypted DNS --> Privacy? A Traffic Analysis Perspective

Investigating the Agility Bias in DNS Graph Mining

Mining IP to Domain Name Interactions to Detect DNS Flood Attacks on Recursive DNS Servers

Contact Info

Product

Resources

About