Skip to main content
SpringerLink
Log in

A method for identifying compromised clients based on DNS traffic analysis

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Amazon Inc: Alexa—the list of the most popular domains. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip (2015)

  2. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290, (2010)

  3. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, II N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: USENIX Security Symposium, (2011)

  4. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security Symposium, pp. 491–506, (2012)

  5. Berger, A.: Pydnsmap. https://github.com/anderasberger/pydnsmap (2014)

  6. Berger, A., D’Alconzo, A., Gansterer, W.N., Pescapé, A.: Mining agile DNS traffic using graph analysis for cybercrime detection. Comput. Netw. 100, 28–44 (2016)

    Article  Google Scholar 

  7. Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16(4), 14 (2014)

    Article  Google Scholar 

  8. Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)

    Article  MATH  Google Scholar 

  9. Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56(1), 20–33 (2012)

    Article  Google Scholar 

  10. Damballa Inc: Top-10 TLDs abused by botnets for CNC. https://www.damballa.com/top-10-tlds-abused-by-botnets-for-cnc/ (2009)

  11. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The weka data mining software: an update. SIGKDD Explor. Newsl. 11(1), 10–18 (2009)

    Article  Google Scholar 

  12. Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS, (2008)

  13. Kay, B., Greve, P.: Mapping the Mal Web. Tech. Rep., McAfee, Inc. http://promos.mcafee.com/en-US/PDF/MTMW_Report (2011)

  14. Knysz, M., Hu, X., Shin, K.G.: Good guys vs. bot guise: mimicry attacks against fast-flux detection systems. In: INFOCOM, 2011 Proceedings IEEE, IEEE, pp. 1844–1852, (2011)

  15. Luo, P., Torres, R., Zhang, Z.L., Saha, S., Lee, S.J., Nuccim, A., Mellia, M.: Leveraging client-side DNS failure patterns to identify malicious behaviors. In: IEEE Conference on Communications and Network Security (CNS), 2015, IEEE, pp. 406–414, (2015)

  16. MaxMind Inc: Databases of AS numbers. (2015a)

  17. MaxMind Inc: Databases of cities. geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz

  18. Mockapetris, P.: Domain names—implementation and specifications. RFC 1035, RFC Editor. https://tools.ietf.org/rfc/rfc1035.txt (1987)

  19. Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: 3rd International Conference on Malicious and Unwanted Software, 2008. MALWARE 2008, IEEE, pp. 24–31, (2008)

  20. NoVirusThanks Company Srl: Ipvoid—IP address blacklist checker tool. http://www.ipvoid.com (2014a)

  21. NoVirusThanks Company Srl: Urlvoid—website reputation checker tool. http://www.urlvoid.com (2014b)

  22. Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive dns traffic analysis. IEEE Trans. Depend. Secure Comput. 9(5), 714–726 (2012)

    Google Scholar 

  23. Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 192–211. Springer, Switzerland (2014)

  24. Sharifnya, R., Abadi, M.: DFBotkiller: domain-flux botnet detection based on the history of group activities and failures in DNS traffic. Digit. Investig. 12, 15–26 (2015)

    Article  Google Scholar 

  25. Stevanovic, M., Pedersen, J.M., D’Alconzo, A., Ruehrup, S., Berger, A.: On the ground truth problem of malicious DNS traffic analysis. Comput. Secur. 55, 142–158 (2015). doi:10.1016/j.cose.2015.09.004

    Article  Google Scholar 

  26. Van Leijenhorst, T., Chin, K.W., Lowe, D.: On the viability and performance of DNS tunneling. In: Proceedings of the International Conference on Information Technology and Applications, (2008)

  27. Yadav, S., Reddy, A.K.K., Reddy, A., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, ACM, pp. 48–61, (2010)

  28. Yan, P.: How likely is a domain to be malicious? Here’s a look at the stats and graphs that help us decide. https://labs.opendns.com/2013/01/08/ (2013)

Download references

Acknowledgments

We would like to thank Bredbånd Nord for providing DNS traffic data sets used for the evaluation of the proposed detection method. We would also like to thank Dan Sandberg for assisting in obtaining the data sets and contributing to discussions on the use of the proposed detection method in operational networks.

Author information

Authors and Affiliations

  1. Department of Electronic Systems, Aalborg University, Aalborg, Denmark

    Matija Stevanovic & Jens Myrup Pedersen

  2. Austrian Institute of Technology (AIT), Wien, Austria

    Alessandro D’Alconzo

  3. Forschungszentrum Telekommunikation Wien (FTW), Wien, Austria

    Stefan Ruehrup

Authors
  1. Matija Stevanovic
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jens Myrup Pedersen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alessandro D’Alconzo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefan Ruehrup
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matija Stevanovic.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Stevanovic, M., Pedersen, J.M., D’Alconzo, A. et al. A method for identifying compromised clients based on DNS traffic analysis. Int. J. Inf. Secur. 16, 115–132 (2017). https://doi.org/10.1007/s10207-016-0331-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-016-0331-3

Keywords

Search

Navigation