Enabling Network Security Through Active DNS Datasets

  • Athanasios Kountouras
  • Panagiotis Kintis
  • Chaz Lever
  • Yizheng Chen
  • Yacin Nadji
  • David Dagon
  • Manos Antonakakis
  • Rodney Joffe
Conference paper

DOI: 10.1007/978-3-319-45719-2_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9854)
Cite this paper as:
Kountouras A. et al. (2016) Enabling Network Security Through Active DNS Datasets. In: Monrose F., Dacier M., Blanc G., Garcia-Alfaro J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science, vol 9854. Springer, Cham

Abstract

Most modern cyber crime leverages the Domain Name System (DNS) to attain high levels of network agility and make detection of Internet abuse challenging. The majority of malware, which represent a key component of illicit Internet operations, are programmed to locate the IP address of their command-and-control (C&C) server through DNS lookups. To make the malicious infrastructure both agile and resilient, malware authors often use sophisticated communication methods that utilize DNS (i.e., domain generation algorithms) for their campaigns. In general, Internet miscreants make extensive use of short-lived disposable domains to promote a large variety of threats and support their criminal network operations.

To effectively combat Internet abuse, the security community needs access to freely available and open datasets. Such datasets will enable the development of new algorithms that can enable the early detection, tracking, and overall lifetime of modern Internet threats. To that end, we have created a system, Thales, that actively queries and collects records for massive amounts of domain names from various seeds. These seeds are collected from multiple public sources and, therefore, free of privacy concerns. The results of this effort will be opened and made freely available to the research community. With three case studies we demonstrate the detection merit that the collected active DNS datasets contain. We show that (i) more than 75 % of the domain names in public black lists (PBLs) appear in our datasets several weeks (and some cases months) in advance, (ii) existing DNS research can be implemented using only active DNS, and (iii) malicious campaigns can be identified with the signal provided by active DNS.

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Athanasios Kountouras
    • 1
  • Panagiotis Kintis
    • 2
  • Chaz Lever
    • 2
  • Yizheng Chen
    • 2
  • Yacin Nadji
    • 2
  • David Dagon
    • 1
  • Manos Antonakakis
    • 1
  • Rodney Joffe
    • 3
  1. 1.School of Electrical and Computer EngineeringGeorgia Institute of TechnologyAtlantaUSA
  2. 2.School of Computer ScienceGeorgia Institute of TechnologyAtlantaUSA
  3. 3.NeustarSterlingUSA

Personalised recommendations