Detecting Malicious Activity with DNS Backscatter (extended). Fukuda, K. & Heidemann, J. Technical Report ISI-TR-2015-704, USC/Information Sciences Institute, November, 2015.
Detecting Malicious Activity with DNS Backscatter (extended) [link]Paper  abstract   bibtex   
Network-wide activity is when one computer (the \emphoriginator) touches many others (the \emphtargets). Motives for activity may be benign (mailing lists, CDNs, and research scanning), malicious (spammers and scanners for security vulnerabilities), or perhaps indeterminate (ad trackers). Knowledge of malicious activity may help anticipate attacks, and understanding benign activity may set a baseline or characterize growth. This paper identifies \emphDNS backscatter as a new source of information about network-wide activity. Backscatter is the reverse DNS queries caused when targets or middleboxes automatically look up the domain name of the originator. Queries are visible to the authoritative DNS servers that handle reverse DNS. While the fraction of backscatter they see depends on the server's location in the DNS hierarchy, we show that activity that touches many targets appear even in sampled observations. We use information about the queriers to classify originator activity using machine-learning. Our algorithm has reasonable precision (70–80%) as shown by data from three different organizations operating DNS servers at the root or country-level. Using this technique we examine nine months of activity from one authority to identify trends in scanning, identifying bursts corresponding to Heartbleed and broad and continuous scanning of ssh.
@TechReport{Fukuda15b,
	author = 	"Kensuke Fukuda and John Heidemann",
	title = 	"Detecting Malicious Activity with {DNS}
                  Backscatter (extended)",
	institution = 	"USC/Information Sciences Institute",
	year = 		2015,
	sortdate = 		"2015-10-27",
	project = "ant, lacrend, retrofuture",
	jsubject = "dns",
	number = 	"ISI-TR-2015-704",
	month = 	nov,
	jlocation = 	"johnh: pafile",
	keywords = 	"dns, backscatter",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda15b.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda15b.pdf",
	dataseturl = "https://ant.isi.edu/datasets/dns_backscatter/index.html",
	icon =	"Fukuda15b_icon.png",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",
	abstract = "Network-wide activity is when one computer (the \emph{originator})
touches many others (the \emph{targets}).  Motives for activity may be
benign (mailing lists, CDNs, and research scanning), malicious
(spammers and scanners for security vulnerabilities), or perhaps
indeterminate (ad trackers).  Knowledge of malicious activity may help
anticipate attacks, and understanding benign activity may set a
baseline or characterize growth.  This paper identifies \emph{DNS
backscatter} as a new source of information about network-wide
activity.  Backscatter is the reverse DNS queries caused when targets
or middleboxes automatically look up the domain name of the
originator.  Queries are visible to the authoritative DNS servers that
handle reverse DNS.  While the fraction of backscatter they see
depends on the server's location in the DNS hierarchy, we show that
activity that touches many targets appear even in sampled
observations.  We use information about the queriers to classify
originator activity using machine-learning.  Our algorithm has
reasonable precision (70--80\%) as shown by data from three different
organizations operating DNS servers at the root or country-level.
Using this technique we examine nine months of activity from one
authority to identify trends in scanning, identifying bursts
corresponding to Heartbleed and broad and continuous scanning of ssh.",
}
Downloads: 0
About
Documentation
Keywords
Search
Users
Terms and Conditions of Use
Privacy Policy
Sitemap
© BibBase.org 2021