• Corpus ID: 67855931

A Study of Newly Observed Hostnames and DNS Tunneling in the Wild

  title={A Study of Newly Observed Hostnames and DNS Tunneling in the Wild},
  author={Dennis Tatang and Florian Quinkert and Nico Dolecki and Thorsten Holz},
The domain name system (DNS) is a crucial backbone of the Internet and millions of new domains are created on a daily basis. While the vast majority of these domains are legitimate, adversaries also register new hostnames to carry out nefarious purposes, such as scams, phishing, or other types of attacks. In this paper, we present insights on the global utilization of DNS through a measurement study examining exclusively newly observed hostnames via passive DNS data analysis. We analyzed more… 

Towards Comprehensive Detection of DNS Tunnels

A novel DNS tunnel detection method that can detect newly developed A and AAAA RR based DNS tunnels, and shows that it can detect all DNS tunnels in the dataset with a extremely low false positive rate.

A Statistical Approach to Detecting Low-Throughput Exfiltration through the Domain Name System Protocol

This model eliminates the need for a network analyst to sift through a high volume of DNS queries, by automatically detecting traffic indicative of exfiltration within a network.

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records

This paper presents the first structured study of the uses of TXT records, with a specific focus on security implications, and is able to classify over 99.54% of allTXT records in the dataset, finding security issues including accidentally published private keys and exploit delivery attempts.

A security model for DNS tunnel detection on cloud platform

This article proposes an effective DNS tunnel detection methodology integrating cloud-based resources and proposes an unsupervised machine-learning model execution for anomaly identification that could be adapted to compose security control systems for organizations.

Hidden Markov model for malicious hosts detection in a computer network

The paper suggests method for detection malicious hosts using activity timeseries classification based on hidden Markov chain model that analyses timeseries and consecutive search of the most probable final state of the model.



EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis

This paper introduces EXPOSURE, a system that employs large-scale, passive DNS analysis techniques to detect domains that are involved in malicious activity, and uses 15 features that it extracts from the DNS traffic that allow it to characterize different properties of DNS names and the ways that they are queried.

An empirical reexamination of global DNS behavior

Measure results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers are presented and a novel approach that detects malicious domain groups using temporal correlation in DNS queries is proposed.

DNS Tunneling Detection Techniques - Classification, and Theoretical Comparison in Case of a Real APT Campaign

This paper introduces one real Advanced Persistent Threat campaign that utilizes DNS tunneling, and theoretically compares how well the surveyed detection techniques could detect it, and classified those first based on the type of data and then within the categories based onThe type of analysis.

Practical Comprehensive Bounds on Surreptitious Communication over DNS

A novel measurement procedure is developed that fundamentally limits the amount of information that a domain can receive surreptitiously through DNS queries to an upper bound specified by a site's security policy, with the exact setting representing a tradeoff between the scope of potential leakage versus the quantity of possible detections that a sites' analysts must investigate.

A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements

The challenges of performing a large-scale active measurement of the domain name system, including scaling the daily measurement to collect data for the largest TLD (.com, with 123M names) and ensuring that a measurement of this scale does not impose an unacceptable burden on the global DNS infrastructure are discussed.

A Bigram based Real Time DNS Tunnel Detection Approach

Stream-wise detection of surreptitious traffic over DNS

  • T. ČejkaZdenek RosaH. Kubátová
  • Computer Science
    2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD)
  • 2014
The proposed detection module is designed to process huge volume of data and to detect anomalies at near real-time, based on combination of statistical analysis of several observed features including application layer information.

Detecting Malware Domains at the Upper DNS Hierarchy

Kopis passively monitors DNS traffic at the upper levels of the DNS hierarchy, and is able to accurately detect malware domains by analyzing global DNS query resolution patterns.

Detection of malicious payload distribution channels in DNS

A system to analyze the resource record activities of domain names and build DNS zone profiles to detect payload distribution channels and reveal a few previously unreported long-running hidden domains used by the Morto worm for distributing malicious payloads is presented.

Detecting DNS Tunnels Using Character Frequency Analysis

This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses by empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies.