The DNS is a core service for the Internet. Most uses of the DNS are benign, but some are malicious. Attackers often use a DNS do- main to enable an attack (e.g. DDoS attacks). Detection of these attacks often happens passively, but this leads to a reactive detection of attacks. However, registering and configuring a domain takes time. We want to pro-actively identify malicious domains during this time. Identifying ma- licious domains before they are used allows to pre-emptively stop an attack before it happens. We aim to accomplish this goal by analysing active DNS measurements. Via the analysis of active DNS measurements there is a window of opportunity between the registration time and the time of an attack, to identify a threat before it becomes an attack. Active DNS measurements allows us to analyse the configuration of a domain. Using the configuration of a domain we can predict if it will be used for malicious intent. Machine Learning (ML) is often used to process large datasets, because it is efficient and dynamic. This is the reason we want to use ML for the detection of malicious domains. Since our results are predictive in nature, methodology for validation of our results need to be developed. Because, at the time of the detection no ground truth is (yet) available.
The third publication for the TIDE project. Details more formally the research questions of this project.
|Title||Threat Identification Using Active DNS Measurements|
|Authors||Olivier van der Toorn, Anna Sperotto|