Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Information Security Applications

WISA 2014: Information Security Applications pp 202–215Cite as

Name Server Switching: Anomaly Signatures, Usage, Clustering, and Prediction

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8909))

Abstract

There exists a significant number of domains that have frequently switched their name servers for several reasons. In this work, we delved into the analysis of name-server switching behavior and presented a novel identifier called “NS-Switching Footprint” (NSSF) that can be used to cluster domains, enabling us to detect domains with suspicious behavior. We also designed a model that represents a time series, which could be used to predict the number of name servers that a domain will interact with. We performed the experiments with the dataset that captured all .com and .net zone changing transactions (i.e., adding or deleting name servers for domains) from March 28 to June 27, 2013.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Salchow, K.: Load balancing 101: Nuts and bolts. White Paper, F5 Networks Inc. (2007)

    Google Scholar 

  2. Nygren, E., Sitaraman, R.K., Sun, J.: The akamai network: a platform for high-performance internet applications. SIGOPS Oper. Syst. Rev. 44(3), 2–19 (2010)

    Article  Google Scholar 

  3. Snoke, T.: Watching domains that changes dns servers frequently. CERT/CC Blog (2013)

    Google Scholar 

  4. He, Y., Zhong, Z., Krasser, S., Tang, Y.: Mining dns for malicious domain registrations. In: CollaborateCom (2010)

    Google Scholar 

  5. Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: LEET (2010)

    Google Scholar 

  6. Lardinois, F.: More than 250m domain names have now been registered, almost half are .com and .net, April 2013. http://tcrn.ch/1i3G0Fh

  7. Shumway, R., Stofer, D.: Time Series Analysis and Its Applications. Springer, New York (2000)

    Book  MATH  Google Scholar 

  8. Box, G., Jenkins, G.: Time Series Analysis: Forecasting and Control. Holden-Day, San Francisco (1970)

    MATH  Google Scholar 

  9. Alwan, L.C., Roberts, H.V.: Time-series modeling for statistical process control. J. Bus. Econ. Stat. 6, 87–95 (1988)

    Google Scholar 

  10. Porter, S.: Hudak: an application of the seasonal fractionally differenced model to the monetary aggregates. J. Am. Stat. Assoc. 85, 338–344 (1990)

    Article  Google Scholar 

  11. Shumway, R., Stoffer, D.: Dynamic linear models with switching. J. Am. Stat. Assoc. 86(415), 763–769 (1991)

    Article  MathSciNet  Google Scholar 

  12. Chrysostome Bolot, J., Hoschka, P.: Performance engineering of the world wide web: application to dimensioning and cache design. Comput. Netw. 28, 1397–1405 (1996)

    Google Scholar 

  13. Mohaisen, A., Alrawi, O.: Amal: highfidelity, behavior-based automated malware analysis and classification. Technical report, Verisign Labs (2013)

    Google Scholar 

  14. Lin, D.: An information-theoretic definition of similarity. In: ICML (1998)

    Google Scholar 

  15. Miao, Y., Kešelj, V., Milios, E.: Document clustering using character n-grams: a comparative evaluation with term-based and word-based clustering. In: CIKM (2005)

    Google Scholar 

  16. Viinikka, J., Debar, H., Mé, L., Lehikoinen, A., Tarvainen, M.: Processing intrusion detection alert aggregates with time series modeling. Inf. Fusion 10, 312–324 (2009)

    Article  Google Scholar 

  17. Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Technical report, BTH (2000)

    Google Scholar 

  18. Cabrera, J.B., Lewis, L., Qin, X., Lee, W., Prasanth, R.K., Ravichandran, B., Mehra, R.K.: Proactive detection of distributed denial of service attacks using mib traffic variables-a feasibility study. In: IEEE IM (2001)

    Google Scholar 

  19. Liu, H., Kim, M.S.: Real-time detection of stealthy ddos attacks using time-series decomposition. In: IEEE ICC (2010)

    Google Scholar 

  20. Mayrhofer, R., Gellersen, H.-W.: Shake well before use: authentication based on accelerometer data. In: LaMarca, A., Langheinrich, M., Truong, K.N. (eds.) Pervasive 2007. LNCS, vol. 4480, pp. 144–161. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  21. Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: IEEE Security and Privacy, pp. 305–316 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Verisign Labs, Reston, VA, USA

    Aziz Mohaisen & Yannis Labrou

  2. Indiana University—Purdue University, Indianapolis, IN, USA

    Mansurul Bhuiyan

Authors
  1. Aziz Mohaisen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mansurul Bhuiyan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yannis Labrou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aziz Mohaisen .

Editor information

Editors and Affiliations

  1. Pukyong National University, Busan, Korea, Republic of (South Korea)

    Kyung-Hyune Rhee

  2. School of Computer Science and Engineering, Soongsil University, Seoul, Korea, Republic of (South Korea)

    Jeong Hyun Yi

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Mohaisen, A., Bhuiyan, M., Labrou, Y. (2015). Name Server Switching: Anomaly Signatures, Usage, Clustering, and Prediction. In: Rhee, KH., Yi, J. (eds) Information Security Applications. WISA 2014. Lecture Notes in Computer Science(), vol 8909. Springer, Cham. https://doi.org/10.1007/978-3-319-15087-1_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-15087-1_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15086-4

  • Online ISBN: 978-3-319-15087-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation