Advertisement

Mapping an Enterprise Network by Analyzing DNS Traffic

  • Minzhao LyuEmail author
  • Hassan Habibi Gharakheili
  • Craig Russell
  • Vijay Sivaraman
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11419)

Abstract

Enterprise networks are becoming more complex and dynamic, making it a challenge for network administrators to fully track what is potentially exposed to cyber attack. We develop an automated method to identify and classify organizational assets via analysis of just 0.1% of the enterprise traffic volume, specifically corresponding to DNS packets. We analyze live, real-time streams of DNS traffic from two organizations (a large University and a mid-sized Government Research Institute) to: (a) highlight how DNS query and response patterns differ between recursive resolvers, authoritative name servers, web-servers, and regular clients; (b) identify key attributes that can be extracted efficiently in real-time; and (c) develop an unsupervised machine learning model that can classify enterprise assets. Application of our method to the 10 Gbps live traffic streams from the two organizations yielded results that were verified by the respective IT departments, while also revealing new knowledge, attesting to the value provided by our automated system for mapping and tracking enterprise assets.

Keywords

Enterprise network DNS analysis Machine learning 

Notes

Acknowledgements

This work was completed in collaboration with the Australian Defence Science and Technology Group.

References

  1. 1.
    DNS Security Introduction and Requirements (2018). https://www.ietf.org/rfc/rfc4033.txt. Accessed 28 May 2018
  2. 2.
    Ahmed, J., Gharakheili, H.H., Russell, C., Sivaraman, V.: Real-time detection of DNS exfiltration and tunneling from enterprise networks. In: Proceedings of IFIP/IEEE IM, Washington DC, USA, April 2019Google Scholar
  3. 3.
    Almeida, M., Finamore, A., Perino, D., Vallina-Rodriguez, N., Varvello, M.: Dissecting DNS stakeholders in mobile networks. In: Proceedings of ACM CoNEXT, Incheon, Republic of Korea, December 2017Google Scholar
  4. 4.
    Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56(1), 20–33 (2012)CrossRefGoogle Scholar
  5. 5.
    Chung, T., et al.: Understanding the role of registrars in DNSSEC deployment. In: Proceedings of ACM IMC, London, UK, November 2017Google Scholar
  6. 6.
    Deloitte: Elevating cybersecurity on the higher education leadership agenda (2018). https://www2.deloitte.com/insights/us/en/industry/public-sector/cybersecurity-on-higher-education-leadership-agenda.html
  7. 7.
    Gao, H., et al.: Reexamining DNS From a global recursive resolver perspective. IEEE/ACM Trans. Netw. 24(1), 43–57 (2016)CrossRefGoogle Scholar
  8. 8.
    Hao, S., Feamster, N., Pandrangi, R.: Monitoring the initial DNS behavior of malicious domains. In: Proceedings of ACM IMC, Berlin, Germany, November 2011Google Scholar
  9. 9.
    Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of ACM CCS, October 2016Google Scholar
  10. 10.
    MacFarland, D.C., Shue, C.A., Kalafut, A.J.: Characterizing optimal DNS amplification attacks and effective mitigation. In: Proceedings of PAM, New York, NY, USA, March 2015Google Scholar
  11. 11.
    MacFarland, D.C., Shue, C.A., Kalafut, A.J.: The best bang for the byte: characterizing the potential of DNS amplification attacks. Comput. Netw. 116(C), 12–21 (2017)CrossRefGoogle Scholar
  12. 12.
    Marshall, S.: CANDID: classifying assets in networks by determining importance and dependencies. Technical report, Electrical Engineering and Computer Sciences, University of California at Berkeley, May 2013Google Scholar
  13. 13.
    Müller, M., Moura, G.C.M., de O. Schmidt, R., Heidemann, J.: Recursives in the wild: engineering authoritative DNS servers. In: Proceedings of ACM IMC, London, UK, November 2017Google Scholar
  14. 14.
    van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of ACM IMC, Vancouver, BC, Canada, November 2014Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Minzhao Lyu
    • 1
    • 2
    Email author
  • Hassan Habibi Gharakheili
    • 1
  • Craig Russell
    • 2
  • Vijay Sivaraman
    • 1
  1. 1.University of New South WalesSydneyAustralia
  2. 2.Data61, CSIROSydneyAustralia

Personalised recommendations