Investigating the Agility Bias in DNS Graph Mining

The concept of agile domain name system (DNS) refers to dynamic and rapidly changing mappings between domain names and their Internet protocol (IP) addresses. This empirical paper evaluates the bias from this kind of agility for DNS-based graph theoretical data mining applications. By building on two conventional metrics for observing malicious DNS agility, the agility bias is observed by comparing bipartite DNS graphs to different subgraphs from which vertices and edges are removed according to two criteria. According to an empirical experiment with two longitudinal DNS datasets, irrespective of the criterion, the agility bias is observed to be severe particularly regarding the effect of outlying domains hosted and delivered via content delivery networks and cloud computing services. With these observations, the paper contributes to the research domains of cyber security and DNS mining. In a larger context of applied graph mining, the paper further elaborates the practical concerns related to the learning of large and dynamic bipartite graphs.

[1]  Christian Rossow,et al.  RUHR-UNIVERSITÄT BOCHUM , 2014 .

[2]  Shijie Zhou,et al.  Information Security Journal : A Global Perspective , 2015 .

[3]  Ahmad Jakalan,et al.  Social relationship discovery of IP addresses in the managed IP networks by observing traffic at network boundary , 2016, Comput. Networks.

[4]  Tysons Boulevard ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 , 2010 .

[5]  Ville Leppänen,et al.  The Black Mark beside My Name Server: Exploring the Importance of Name Server IP Addresses in Malware DNS Graphs , 2016, 2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW).

[6]  Jure Leskovec,et al.  Measurement error in network data: A re-classification , 2012, Soc. Networks.

[7]  Heejo Lee,et al.  GMAD: Graph-based Malware Activity Detection by DNS traffic analysis , 2014, Comput. Commun..

[8]  Sandeep Yadav,et al.  Detecting Malicious Domains via Graph Inference , 2014, AISec '14.

[9]  Kensuke Fukuda,et al.  Uncovering Relations between Traffic Classifiers and Anomaly Detectors via Graph Theory , 2010, TMA.

[10]  Gerhard Haßlinger,et al.  Content delivery and caching from a network provider's perspective , 2011, Comput. Networks.

[11]  Tao Zhang,et al.  Exploiting Content Delivery Networks for covert channel communications , 2017, Comput. Commun..

[12]  Herbert Bos,et al.  Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[13]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[14]  Katsuyoshi Iida,et al.  Design of Detecting Botnet Communication by Monitoring Direct Outbound DNS Queries , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[15]  Yan Luo,et al.  Demystifying commercial content delivery networks in China , 2015, Concurr. Comput. Pract. Exp..

[16]  Ville Leppänen,et al.  Correlating file-based malware graphs against the empirical ground truth of DNS graphs , 2016, ECSA Workshops.

[17]  Ville Leppänen,et al.  A Post-Mortem Empirical Investigation of the Popularity and Distribution of Malware Files in the Contemporary Web-Facing Internet , 2016, 2016 European Intelligence and Security Informatics Conference (EISIC).

[18]  Sherali Zeadally,et al.  A Taxonomy of Domain-Generation Algorithms , 2016, IEEE Security & Privacy.

[19]  Michael D. Iannacone,et al.  GraphPrints: Towards a Graph Analytic Method for Network Anomaly Detection , 2016, CISRC.

[20]  Konstantinos Demertzis,et al.  Evolving Smart URL Filter in a Zone-Based Policy Firewall for Detecting Algorithmically Generated Malicious Domains , 2015, SLDS.

[21]  Hannes Federrath,et al.  Behavior-based tracking: Exploiting characteristic patterns in DNS traffic , 2013, Comput. Secur..

[22]  Danai Koutra,et al.  Graph based anomaly detection and description: a survey , 2014, Data Mining and Knowledge Discovery.

[23]  Kang G. Shin,et al.  Measurement and analysis of global IP-usage patterns of fast-flux botnets , 2011, 2011 Proceedings IEEE INFOCOM.

[24]  Antonios Atlasis,et al.  Detecting DNS Tunneling , 2019 .

[25]  Baoping Yan,et al.  Modeling DNS Activities Based on Probabilistic Latent Semantic Analysis , 2010, ADMA.

[26]  Wilfried N. Gansterer,et al.  Mining agile DNS traffic using graph analysis for cybercrime detection , 2016, Comput. Networks.

[27]  Ville Leppänen,et al.  On the Design of a Simple Network Resolver for DNS Mining , 2016, CompSysTech.

[28]  Raymond A. Hansen,et al.  A Study on Botnets Utilizing DNS , 2015, RIIT '15.

[29]  Maurizio Martinelli,et al.  Graph theoretical models of DNS traffic , 2013, 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC).

[30]  Michel van Eeten,et al.  Post-Mortem of a Zombie: Conficker Cleanup After Six Years , 2015, USENIX Security Symposium.