Author : Madeeha M.K 1
Date of Publication :7th September 2016
Abstract: The Domain Name System (DNS) is an integral component of the internet which efficiently converts domain names into 32 bit IP addresses and vice versa. The internet had always been a favorite target where the attackers staged various types of malicious activities with their effects ranging from small to extreme. The attackers are now a days focusing on attacking domains which involves managing botnet to fire numerous attacks on the victim. Relative to the increase in the number of wicked web users targeting domains for implementing malicious activity there is also an increase in the number of scholars interested in doing research to curb the advancement of such attacks. Many systems have already been introduced various researchers to detect domains involved in malicious activities based on the DNS query and response observation of the domain under consideration. Some of the systems thus developed blacklist those domains that are fraudulent in nature. We propose a machine learning approach in detecting malicious domain names by assigning scores to the domains based on the analysis. The attributes relevant for our experiment that distinguish malicious and benign domains were obtained by analyzing a large number of features from collected DNS query responses. In addition to the features based on domain names we also make use of the Google Page Rank, Alexa Traffic Rank and SSL rating. We assign score to each domain in the range of 0 to 10. Based on the experimental results and observations a low score below and including 5 implies that the domain is involved in malicious activities and scores above 5 implies benign domain.
Reference :
-
- Jon Postel. ”Domain name system structure and delegation”. 1994.
- Florian Weimer.” Passive dns replication”. In FIRST Conference on Computer Security Incident, pp. 98, 2005.
- Roberto Perdisci, Igino Corona, and Giorgio Giacinto. ”Early detection of malicious flux networks via large-scale passive dns traffic analysis”.In IEEE Transactions on Dependable and Secure Computing, pp. 714726, IEEE, 2012.
- Bojan Zdrnja, Nevil Brownlee, and Duane Wessels.”Passive monitoring of dns anomalies” In Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 129139, Springer, 2007.
- David Plonka and Paul Barford. ”Context-aware clustering of dns query traffic”. In Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, pages 217-230, ACM, 2008.
- Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi ”Exposure: Finding malicious domains using passive dns analysis”. In NDSS, 2011
- Felegyhazi, Mark and Kreibich, Christian and Paxson, Vern ”On the Potential of Proactive Domain Blacklisting ”.Proceedings of the 3rdUSENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, USENIX Association, 2010.
- M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. ”Building a Dynamic Reputation System for DNS”.In 19th Usenix Security Symposium, USENIX, 2010.
- E. Passerini, R. Paleari, L. Martignoni, and D. Bruschi.” Fluxor: Detecting and monitoring fast-flux service networks”. In Detection of Intrusions and Malware, and Vunerability Assessment, 2008.
- R. Perdisci, I. Corona, D. Dagon, and W. Lee. ”Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces”. In 25th Annual Computer Security Applications Conference, ACSAC, 2009.
- Jalalzai, M.H. Shahid, W.B. ; Iqbal, M.M.W. ”DNS security challenges and best practices to deploy secure DNS with digital signatures.” In 12thInternational Bhurban Conference on Applied Sciences and Technology (IBCAST), 2015
- Sun Bin, Wen Qiaoyan, Liang Xiaoying . ”A DNS Based Anti Phishing Approach”. In IInd International Conference on Networks Security, Wireless Communications and Trusted Computing ,IEEE, 2010.
- Firenet.(October, 2008). DNS / nslookup - How to find the root servers ? Online. Available :https://www.fir3net.com/Networking/Protocols/dnsnslooku p-how-to-find-the-root-servers.html. ( December,2015)
- Infoblox. (October, 2015). Online. Available : http://cybersecuritysummit.co.uk/wpcontent/uploads/2015/1 0/Top-Ten-DNS-Attacks. (Accessed: December, 2015).
- Breiman, Leo. ”Random forests.” Machine learning 45.1 pages 5-32,2001.
- Nejad, Tayebeh Rouhani and Abadi, Mohammadebrahim Shiri Ahmad.”Intrusion detection in computer networks through a hybrid approach of data mining and decision trees.”2014.
- Chan, Jonathan Cheung-Wai and Paelinckx, Desire ”Evaluation of Random Forest and Adaboost tree-based ensemble classication and spectral band selection for ecotope mapping using airborne hyperspectral imagery.” Remote Sensing of Environment 112.6, pp. 2999-3011, 2008.
- Jaree Thongkam, Guandong Xu, and Yanchun Zhang. ”Adaboost algorithm withrandom forests for predicting breast cancer survivability. ”In International Joint Conference on Neural Networks (IJCNN), pp 3062- 3069,IEEE,2008.
- Thomas G Dietterich. ”An experimental comparison of three methods for constructing ensembles of decision trees: Bagging, boosting, and randomization” Machine learning, 40(2):139-157, 2000.