Visible to the public Biblio

Filters: Keyword is DNS  [Clear All Filters]
Fejrskov, M., Pedersen, J. M., Vasilomanolakis, E..  2020.  Cyber-security research by ISPs: A NetFlow and DNS Anonymization Policy. :1—8.

Internet Service Providers (ISPs) have an economic and operational interest in detecting malicious network activity relating to their subscribers. However, it is unclear what kind of traffic data an ISP has available for cyber-security research, and under which legal conditions it can be used. This paper gives an overview of the challenges posed by legislation and of the data sources available to a European ISP. DNS and NetFlow logs are identified as relevant data sources and the state of the art in anonymization and fingerprinting techniques is discussed. Based on legislation, data availability and privacy considerations, a practically applicable anonymization policy is presented.

Jin, Y., Tomoishi, M., Matsuura, S..  2019.  A Detection Method Against DNS Cache Poisoning Attacks Using Machine Learning Techniques: Work in Progress. 2019 IEEE 18th International Symposium on Network Computing and Applications (NCA). :1—3.

DNS based domain name resolution has been known as one of the most fundamental Internet services. In the meanwhile, DNS cache poisoning attacks also have become a critical threat in the cyber world. In addition to Kaminsky attacks, the falsified data from the compromised authoritative DNS servers also have become the threats nowadays. Several solutions have been proposed in order to prevent DNS cache poisoning attacks in the literature for the former case such as DNSSEC (DNS Security Extensions), however no effective solutions have been proposed for the later case. Moreover, due to the performance issue and significant workload increase on DNS cache servers, DNSSEC has not been deployed widely yet. In this work, we propose an advanced detection method against DNS cache poisoning attacks using machine learning techniques. In the proposed method, in addition to the basic 5-tuple information of a DNS packet, we intend to add a lot of special features extracted based on the standard DNS protocols as well as the heuristic aspects such as “time related features”, “GeoIP related features” and “trigger of cached DNS data”, etc., in order to identify the DNS response packets used for cache poisoning attacks especially those from compromised authoritative DNS servers. In this paper, as a work in progress, we describe the basic idea and concept of our proposed method as well as the intended network topology of the experimental environment while the prototype implementation, training data preparation and model creation as well as the evaluations will belong to the future work.

Ayub, Md. Ahsan, Smith, Steven, Siraj, Ambareen.  2019.  A Protocol Independent Approach in Network Covert Channel Detection. 2019 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC). :165—170.

Network covert channels are used in various cyberattacks, including disclosure of sensitive information and enabling stealth tunnels for botnet commands. With time and technology, covert channels are becoming more prevalent, complex, and difficult to detect. The current methods for detection are protocol and pattern specific. This requires the investment of significant time and resources into application of various techniques to catch the different types of covert channels. This paper reviews several patterns of network storage covert channels, describes generation of network traffic dataset with covert channels, and proposes a generic, protocol-independent approach for the detection of network storage covert channels using a supervised machine learning technique. The implementation of the proposed generic detection model can lead to a reduction of necessary techniques to prevent covert channel communication in network traffic. The datasets we have generated for experimentation represent storage covert channels in the IP, TCP, and DNS protocols and are available upon request for future research in this area.

Thejaswini, S, Indupriya, C.  2019.  Big Data Security Issues and Natural Language Processing. 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI). :1307–1312.
Whenever we talk about big data, the concern is always about the security of the data. In recent days the most heard about technology is the Natural Language Processing. This new and trending technology helps in solving the ever ending security problems which are not completely solved using big data. Starting with the big data security issues, this paper deals with addressing the topics related to cyber security and information security using the Natural Language Processing technology. Including the well-known cyber-attacks such as phishing identification and spam detection, this paper also addresses issues on information assurance and security such as detection of Advanced Persistent Threat (APT) in DNS and vulnerability analysis. The goal of this paper is to provide the overview of how natural language processing can be used to address cyber security issues.
Hu, Qinwen, Asghar, Muhammad Rizwan, Brownlee, Nevil.  2018.  Measuring IPv6 DNS Reconnaissance Attacks and Preventing Them Using DNS Guard. 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). :350—361.

Traditional address scanning attacks mainly rely on the naive 'brute forcing' approach, where the entire IPv4 address space is exhaustively searched by enumerating different possibilities. However, such an approach is inefficient for IPv6 due to its vast subnet size (i.e., 264). As a result, it is widely assumed that address scanning attacks are less feasible in IPv6 networks. In this paper, we evaluate new IPv6 reconnaissance techniques in real IPv6 networks and expose how to leverage the Domain Name System (DNS) for IPv6 network reconnaissance. We collected IPv6 addresses from 5 regions and 100,000 domains by exploiting DNS reverse zone and DNSSEC records. We propose a DNS Guard (DNSG) to efficiently detect DNS reconnaissance attacks in IPv6 networks. DNSG is a plug and play component that could be added to the existing infrastructure. We implement DNSG using Bro and Suricata. Our results demonstrate that DNSG could effectively block DNS reconnaissance attacks.

Jia, Zhuosheng, Han, Zhen.  2019.  Research and Analysis of User Behavior Fingerprint on Security Situational Awareness Based on DNS Log. 2019 6th International Conference on Behavioral, Economic and Socio-Cultural Computing (BESC). :1–4.

Before accessing Internet websites or applications, network users first ask the Domain Name System (DNS) for the corresponding IP address, and then the user's browser or application accesses the required resources through the IP address. The server log of DNS keeps records of all users' requesting queries. This paper analyzes the user network accessing behavior by analyzing network DNS log in campus, constructing a behavior fingerprint model for each user. Different users and even same user's fingerprints in different periods can be used to determine whether the user's access is abnormal or safe, whether it is infected with malicious code. After detecting the behavior of abnormal user accessing, preventing the spread of viruses, Trojans, bots and attacks is made possible, which further assists the protection of users' network access security through corresponding techniques. Finally, analysis of user behavior fingerprints of campus network access is conducted.

Saharan, Shail, Gupta, Vishal.  2019.  Prevention and Mitigation of DNS Based DDoS Attacks in SDN Environment. 2019 11th International Conference on Communication Systems Networks (COMSNETS). :571-573.

Denial-of-Service attack (DoS attack) is an attack on network in which an attacker tries to disrupt the availability of network resources by overwhelming the target network with attack packets. In DoS attack it is typically done using a single source, and in a Distributed Denial-of-Service attack (DDoS attack), like the name suggests, multiple sources are used to flood the incoming traffic of victim. Typically, such attacks use vulnerabilities of Domain Name System (DNS) protocol and IP spoofing to disrupt the normal functioning of service provider or Internet user. The attacks involving DNS, or attacks exploiting vulnerabilities of DNS are known as DNS based DDOS attacks. Many of the proposed DNS based DDoS solutions try to prevent/mitigate such attacks using some intelligent non-``network layer'' (typically application layer) protocols. Utilizing the flexibility and programmability aspects of Software Defined Networks (SDN), via this proposed doctoral research it is intended to make underlying network intelligent enough so as to prevent DNS based DDoS attacks.

Borgolte, Kevin, Hao, Shuang, Fiebig, Tobias, Vigna, Giovanni.  2018.  Enumerating Active IPv6 Hosts for Large-Scale Security Scans via DNSSEC-Signed Reverse Zones. 2018 IEEE Symposium on Security and Privacy (SP). :770-784.

Security research has made extensive use of exhaustive Internet-wide scans over the recent years, as they can provide significant insights into the overall state of security of the Internet, and ZMap made scanning the entire IPv4 address space practical. However, the IPv4 address space is exhausted, and a switch to IPv6, the only accepted long-term solution, is inevitable. In turn, to better understand the security of devices connected to the Internet, including in particular Internet of Things devices, it is imperative to include IPv6 addresses in security evaluations and scans. Unfortunately, it is practically infeasible to iterate through the entire IPv6 address space, as it is 2ˆ96 times larger than the IPv4 address space. Therefore, enumeration of active hosts prior to scanning is necessary. Without it, we will be unable to investigate the overall security of Internet-connected devices in the future. In this paper, we introduce a novel technique to enumerate an active part of the IPv6 address space by walking DNSSEC-signed IPv6 reverse zones. Subsequently, by scanning the enumerated addresses, we uncover significant security problems: the exposure of sensitive data, and incorrectly controlled access to hosts, such as access to routing infrastructure via administrative interfaces, all of which were accessible via IPv6. Furthermore, from our analysis of the differences between accessing dual-stack hosts via IPv6 and IPv4, we hypothesize that the root cause is that machines automatically and by default take on globally routable IPv6 addresses. This is a practice that the affected system administrators appear unaware of, as the respective services are almost always properly protected from unauthorized access via IPv4. Our findings indicate (i) that enumerating active IPv6 hosts is practical without a preferential network position contrary to common belief, (ii) that the security of active IPv6 hosts is currently still lagging behind the security state of IPv4 hosts, and (iii) that unintended IPv6 connectivity is a major security issue for unaware system administrators.

van Rijswijk-Deij, R., Chung, T., Choffnes, D., Mislove, A., Toorop, W..  2017.  The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover. Proceedings of the SIGCOMM Posters and Demos. :63–64.

The Domain Name System (DNS) is part of the core of the Internet. Over the past decade, much-needed security features were added to this protocol, with the introduction of the DNS Security Extensions. DNSSEC adds authenticity and integrity to the protocol using digital signatures, and turns the DNS into a public key infrastructure (PKI). At the top of this PKI is a single key, the so-called Key Signing Key (KSK) for the DNS root. The current Root KSK was introduced in 2010, and has not changed since. This year, the Root KSK will be replaced for the first time ever. This event potentially has a major impact on the Internet. Thousands of DNS resolvers worldwide rely on this key to validate DNSSEC signatures, and must start using the new key, either through an automated process, or manual intervention. Failure to pick up the new key will result in resolvers becoming completely unavailable to end users. This work presents the "Root Canary", a system to monitor and measure this event from the perspective of validating DNS resolvers for its entire nine-month duration. The system combines three active measurement platforms to have the broadest possible coverage of validating resolvers. Results will be presented in near real-time, to allow the global DNS community to act if problems arise. Furthermore, after the Root KSK rollover concludes in March 2018, we will use the recorded datasets for an in-depth analysis, from which the Internet community can draw lessons for future key rollovers.

Das, A., Shen, M. Y., Shashanka, M., Wang, J..  2017.  Detection of Exfiltration and Tunneling over DNS. 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA). :737–742.

This paper proposes a method to detect two primary means of using the Domain Name System (DNS) for malicious purposes. We develop machine learning models to detect information exfiltration from compromised machines and the establishment of command & control (C&C) servers via tunneling. We validate our approach by experiments where we successfully detect a malware used in several recent Advanced Persistent Threat (APT) attacks [1]. The novelty of our method is its robustness, simplicity, scalability, and ease of deployment in a production environment.

Bhosale, K. S., Nenova, M., Iliev, G..  2017.  The distributed denial of service attacks (DDoS) prevention mechanisms on application layer. 2017 13th International Conference on Advanced Technologies, Systems and Services in Telecommunications (℡SIKS). :136–139.

As DDOS attacks interrupt internet services, DDOS tools confirm the effectiveness of the current attack. DDOS attack and countermeasures continue to increase in number and complexity. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. A contemporary escalation of application layer distributed denial of service attacks on the web services has quickly transferred the focus of the research community from conventional network based denial of service. As a result, new genres of attacks were explored like HTTP GET Flood, HTTP POST Flood, Slowloris, R-U-Dead-Yet (RUDY), DNS etc. Also after a brief introduction to DDOS attacks, we discuss the characteristics of newly proposed application layer distributed denial of service attacks and embellish their impact on modern web services.

Kumar, Vimal, Kumar, Satish, Gupta, Avadhesh Kumar.  2016.  Real-time Detection of Botnet Behavior in Cloud Using Domain Generation Algorithm. Proceedings of the International Conference on Advances in Information Communication Technology & Computing. :69:1–69:3.

In the last few years, the high acceptability of service computing delivered over the internet has exponentially created immense security challenges for the services providers. Cyber criminals are using advanced malware such as polymorphic botnets for participating in our everyday online activities and trying to access the desired information in terms of personal details, credit card numbers and banking credentials. Polymorphic botnet attack is one of the biggest attacks in the history of cybercrime and currently, millions of computers are infected by the botnet clients over the world. Botnet attack is an intelligent and highly coordinated distributed attack which consists of a large number of bots that generates big volumes of spamming e-mails and launching distributed denial of service (DDoS) attacks on the victim machines in a heterogeneous network environment. Therefore, it is necessary to detect the malicious bots and prevent their planned attacks in the cloud environment. A number of techniques have been developed for detecting the malicious bots in a network in the past literature. This paper recognize the ineffectiveness exhibited by the singnature based detection technique and networktraffic based detection such as NetFlow or traffic flow detection and Anomaly based detection. We proposed a real time malware detection methodology based on Domain Generation Algorithm. It increasesthe throughput in terms of early detection of malicious bots and high accuracy of identifying the suspicious behavior.

Meitei, Irom Lalit, Singh, Khundrakpam Johnson, De, Tanmay.  2016.  Detection of DDoS DNS Amplification Attack Using Classification Algorithm. Proceedings of the International Conference on Informatics and Analytics. :81:1–81:6.

The Domain Name System (DNS) is a critically fundamental element in the internet technology as it translates domain names into corresponding IP addresses. The DNS queries and responses are UDP (User Datagram Protocol) based. DNS name servers are constantly facing threats of DNS amplification attacks. DNS amplification attack is one of the major Distributed Denial of Service (DDoS) attacks, in DNS. The DNS amplification attack victimized huge business and financial companies and organizations by giving disturbance to the customers. In this paper, a mechanism is proposed to detect such attacks coming from the compromised machines. We analysed DNS traffic packet comparatively based on the Machine Learning Classification algorithms such as Decision Tree (TREE), Multi Layer Perceptron (MLP), Naïve Bayes (NB) and Support Vector Machine (SVM) to classify the DNS traffics into normal and abnormal. In this approach attribute selection algorithms such as Information Gain, Gain Ratio and Chi Square are used to achieve optimal feature subset. In the experimental result it shows that the Decision Tree achieved 99.3% accuracy. This model gives highest accuracy and performance as compared to other Machine Learning algorithms.

Liu, Daiping, Hao, Shuai, Wang, Haining.  2016.  All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :1414–1425.

In a dangling DNS record (Dare), the resources pointed to by the DNS record are invalid, but the record itself has not yet been purged from DNS. In this paper, we shed light on a largely overlooked threat in DNS posed by dangling DNS records. Our work reveals that Dare can be easily manipulated by adversaries for domain hijacking. In particular, we identify three attack vectors that an adversary can harness to exploit Dares. In a large-scale measurement study, we uncover 467 exploitable Dares in 277 Alexa top 10,000 domains and 52 edu zones, showing that Dare is a real, prevalent threat. By exploiting these Dares, an adversary can take full control of the (sub)domains and can even have them signed with a Certificate Authority (CA). It is evident that the underlying cause of exploitable Dares is the lack of authenticity checking for the resources to which that DNS record points. We then propose three defense mechanisms to effectively mitigate Dares with little human effort.

Korczyński, Maciej, Król, Micha\textbackslashl, van Eeten, Michel.  2016.  Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates. Proceedings of the 2016 Internet Measurement Conference. :271–278.

This paper illuminates the problem of non-secure DNS dynamic updates, which allow a miscreant to manipulate DNS entries in the zone files of authoritative name servers. We refer to this type of attack as to zone poisoning. This paper presents the first measurement study of the vulnerability. We analyze a random sample of 2.9 million domains and the Alexa top 1 million domains and find that at least 1,877 (0.065%) and 587 (0.062%) of domains are vulnerable, respectively. Among the vulnerable domains are governments, health care providers and banks, demonstrating that the threat impacts important services. Via this study and subsequent notifications to affected parties, we aim to improve the security of the DNS ecosystem.

Janbeglou, M., Naderi, H., Brownlee, N..  2014.  Effectiveness of DNS-Based Security Approaches in Large-Scale Networks. Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on. :524-529.

The Domain Name System (DNS) is widely seen as a vital protocol of the modern Internet. For example, popular services like load balancers and Content Delivery Networks heavily rely on DNS. Because of its important role, DNS is also a desirable target for malicious activities such as spamming, phishing, and botnets. To protect networks against these attacks, a number of DNS-based security approaches have been proposed. The key insight of our study is to measure the effectiveness of security approaches that rely on DNS in large-scale networks. For this purpose, we answer the following questions, How often is DNS used? Are most of the Internet flows established after contacting DNS? In this study, we collected data from the University of Auckland campus network with more than 33,000 Internet users and processed it to find out how DNS is being used. Moreover, we studied the flows that were established with and without contacting DNS. Our results show that less than 5 percent of the observed flows use DNS. Therefore, we argue that those security approaches that solely depend on DNS are not sufficient to protect large-scale networks.

Luchian, E., Terebes, R., Cremene, M..  2014.  Design and implementation of a mobile VoIP system on Android. Electronics and Telecommunications (ISETC), 2014 11th International Symposium on. :1-4.

The paper presents a secure solution that provides VoIP service for mobile users, handling both pre-call and mid-call mobility. Pre-call mobility is implemented using a presence server that acts as a DNS for the moving users. Our approach also detects any change in the attachment point of the moving users and transmits it to the peer entity by in band signaling using socket communications. For true mid-call mobility we also employ buffering techniques that store packets for the duration of the signaling procedure. The solution was implemented for Android devices and it uses ASP technology for the server part.