Leveraging Client-Side DNS Failure Patterns to Identify Malicious Behaviors
Abstract
DNS has been increasingly abused by adversaries for cyber-attacks. Recent research has leveraged DNS failures (i.e. DNS queries that result in a Non-Existent-Domain response from the server) to identify malware activities, especially domainflux botnets that generate many random domains as a rendezvous technique for command- and -control. Using ISP network traces, we conduct a systematic analysis of DNS failure characteristics, with the goal of uncovering how attackers exploit DNS for malicious activities. In addition to DNS failures generated by domain-flux bots, we discover many diverse and stealthy failure patterns that have received little attention. Based on these findings, we present a framework that detects diverse clusters of suspicious domain names that cause DNS failures, by considering multiple types of syntactic as well as temporal patterns. Our evolutionary learning framework evaluates the clusters produced over time to eliminate spurious cases while retaining sustaining (i.e., highly suspicious) clusters. One of the advantages of our framework is in analyzing DNS failures on per-client basis and not hinging on the existence of multiple clients infected by the same malware. Our evaluation on a large ISP network trace show
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 28, 2015
- Accession Number
- AD1017090
Entities
People
- Antonio Nucci
- Marco Mellia
- Pengkui Luo
- Ruben Torres
- Sabyasachi Saha
- Sung-ju Lee
- Zhi-Li Zhang
Organizations
- Cornell University