Detection of Hijacked Authoritative DNS Servers by Name Resolution Traffic Classification
暂无分享,去创建一个
Authoritative DNS server hijacking has been a critical threat which can be hardly prevented by DNSSEC. In this work, we propose a machine learning based detection method against DNS responses replied from hijacked external authoritative DNS servers by DNS traffic data classification and heuristic analysis. The proposed method consists of header, answer, authority and additional section analysis each of which is combined with the corresponding question section. The decision maker decides if a DNS query-response pair has been related to a hijacked external authoritative DNS server by conducting heuristic analysis on the classified DNS traffic data with comparing with old cached DNS data. We have setup a local experimental network and achieved DNS traffic data (A records) of the top 500 FQDNs listed on Alexa web site for about one month and confirmed that the required features can be attracted from the DNS traffic data. Accordingly, we confirmed that it was expectable to conduct the DNS traffic classification and heuristic analysis in order to detect DNS responses replied from hijacked external authoritative DNS servers. The future work includes the DNS traffic data training and the evaluations on a local experimental network as well as in a large scale real network environment.
[1] David Blacka,et al. Clarifications and Implementation Notes for DNS Security (DNSSEC) , 2013, RFC.
[2] Paul V. Mockapetris,et al. Domain names: Concepts and facilities , 1983, RFC.
[3] Paul V. Mockapetris,et al. Domain names - implementation and specification , 1987, RFC.
[4] Yong Jin,et al. A Detection Method Against DNS Cache Poisoning Attacks Using Machine Learning Techniques: Work in Progress , 2019, 2019 IEEE 18th International Symposium on Network Computing and Applications (NCA).