Enabling Network Security Through Active DNS Datasets

Most modern cyber crime leverages the Domain Name System (DNS) to attain high levels of network agility and make detection of Internet abuse challenging. The majority of malware, which represent a key component of illicit Internet operations, are programmed to locate the IP address of their command-and-control (C&C) server through DNS lookups. To make the malicious infrastructure both agile and resilient, malware authors often use sophisticated communication methods that utilize DNS (i.e., domain generation algorithms) for their campaigns. In general, Internet miscreants make extensive use of short-lived disposable domains to promote a large variety of threats and support their criminal network operations.

[1]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[2]  Vern Paxson,et al.  On the Potential of Proactive Domain Blacklisting , 2010, LEET.

[3]  Wenke Lee,et al.  Connected Colors: Unveiling the Structure of Criminal Networks , 2013, RAID.

[4]  Ramana Rao Kompella,et al.  PhishNet: Predictive Blacklisting to Detect Phishing Attacks , 2010, 2010 Proceedings IEEE INFOCOM.

[5]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[6]  Michelle Cotton,et al.  Special Use IPv4 Addresses , 2010, RFC.

[7]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[8]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[9]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[10]  Patrick D. McDaniel,et al.  Domain-Z: 28 Registrations Later Measuring the Exploitation of Residual Trust in Domains , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[11]  Xiapu Luo,et al.  A Centralized Monitoring Infrastructure for Improving DNS Security , 2010, RAID.

[12]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[13]  Keisuke Ishibashi,et al.  Extending Black Domain Name List by Using Co-occurrence Relation between DNS Queries , 2010, LEET.

[14]  Paul Barford,et al.  Context-aware clustering of DNS query traffic , 2008, IMC '08.

[15]  Babak Rahbarinia,et al.  Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[16]  F. Marletta,et al.  List , 1891 .

[17]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[18]  Yizheng Chen,et al.  DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[19]  Duane Wessels,et al.  Passive Monitoring of DNS Anomalies , 2007, DIMVA.

[20]  Leslie Daigle,et al.  WHOIS Protocol Specification , 2004, RFC.

[21]  Florian Weimer,et al.  Passive DNS Replication , 2005 .

[22]  Fabian Monrose,et al.  An empirical study of the performance, security and privacy implications of domain name prefetching , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[23]  Chris Donley,et al.  IANA-Reserved IPv4 Prefix for Shared Address Space , 2012, RFC.