Article

Identifying suspicious activities through DNS failure graph analysis

Authors:

Nan Jiang,

Jin Cao,

Yu Jin,

Li Erran Li,

Zhi-Li ZhangAuthors Info & Claims

ICNP '10: Proceedings of the The 18th IEEE International Conference on Network Protocols

Pages 144 - 153

https://doi.org/10.1109/ICNP.2010.5762763

Published: 05 October 2010 Publication History

Abstract

As a key approach to securing large networks, existing anomaly detection techniques focus primarily on network traffic data. However, the sheer volume of such data often renders detailed analysis very expensive and reduces the effectiveness of these tools. In this paper, we propose a light-weight anomaly detection approach based on unproductive DNS traffic, namely, the failed DNS queries, with a novel tool - DNS failure graphs. A DNS failure graph captures the interactions between hosts and failed domain names. We apply a graph decomposition algorithm based on the tri-nonnegative matrix factorization technique to iteratively extract coherent co-clusters (dense subgraphs) from DNS failure graphs. By analyzing the co-clusters in the daily DNS failure graphs from a 3-month DNS trace captured at a large campus network, we find these co-clusters represent a variety of anomalous activities, e.g., spamming, trojans, bots, etc. In addition, these activities often exhibit distinguishable subgraph structures. By exploring the temporal properties of the co-clusters, we show our method can identify new anomalies that likely correspond to unreported domain-flux bots.

Cited By

View all

Pan PMa XFu YChen F(2022)Automating Group Management of Large-Scale IoT Botnets for AntitrackingSecurity and Communication Networks10.1155/2022/41969452022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/4196945
Yang DLi ZTyson GGavrilovska AZadok E(2020)A deep dive into DNS query failuresProceedings of the 2020 USENIX Conference on Usenix Annual Technical Conference10.5555/3489146.3489180(507-514)Online publication date: 15-Jul-2020
https://dl.acm.org/doi/10.5555/3489146.3489180
Al-Nawasrah AAlmomani AAtawneh SAlauthman M(2020)A Survey of Fast Flux Botnet Detection With Fast Flux Cloud ComputingInternational Journal of Cloud Applications and Computing10.4018/IJCAC.202007010210:3(17-53)Online publication date: 1-Jul-2020
https://dl.acm.org/doi/10.4018/IJCAC.2020070102
Show More Cited By

Recommendations

Identifying botnets by capturing group activities in DNS traffic

Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, ...
A method for identifying compromised clients based on DNS traffic analysis

DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used ...
Detecting malware based on DNS graph mining
Special issue on Big Data in Future Sensing

Malware remains a major threat to nowadays Internet. In this paper, we propose a DNS graph mining-based malware detection approach. A DNS graph is composed of DNS nodes, which represent server IPs, client IPs, and queried domain names in the process of ...

Comments

Information & Contributors

Information

Published In

ICNP '10: Proceedings of the The 18th IEEE International Conference on Network Protocols

October 2010

321 pages

ISBN:9781424486441

Publisher

IEEE Computer Society

United States

Publication History

Published: 05 October 2010

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Pan PMa XFu YChen F(2022)Automating Group Management of Large-Scale IoT Botnets for AntitrackingSecurity and Communication Networks10.1155/2022/41969452022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/4196945
Yang DLi ZTyson GGavrilovska AZadok E(2020)A deep dive into DNS query failuresProceedings of the 2020 USENIX Conference on Usenix Annual Technical Conference10.5555/3489146.3489180(507-514)Online publication date: 15-Jul-2020
https://dl.acm.org/doi/10.5555/3489146.3489180
Al-Nawasrah AAlmomani AAtawneh SAlauthman M(2020)A Survey of Fast Flux Botnet Detection With Fast Flux Cloud ComputingInternational Journal of Cloud Applications and Computing10.4018/IJCAC.202007010210:3(17-53)Online publication date: 1-Jul-2020
https://dl.acm.org/doi/10.4018/IJCAC.2020070102
Nabeel MKhalil IGuan BYu T(2020)Following Passive DNS Traces to Detect Stealthy Malicious Domains Via Graph InferenceACM Transactions on Privacy and Security10.1145/340189723:4(1-36)Online publication date: 6-Jul-2020
https://dl.acm.org/doi/10.1145/3401897
Xie XNiu WZhang XRen ZLuo YLi J(2019)Co-Clustering Host-Domain Graphs to Discover Malware InfectionProceedings of the 2019 International Conference on Artificial Intelligence and Advanced Manufacturing10.1145/3358331.3358380(1-6)Online publication date: 17-Oct-2019
https://dl.acm.org/doi/10.1145/3358331.3358380
Curtin RGardner AGrzonkowski SKleymenov AMosquera A(2019)Detecting DGA domains with recurrent neural networks and side informationProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3339258(1-10)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3339258
Zhauniarovich YKhalil IYu TDacier M(2018)A Survey on Malicious Domains Detection through DNS Data AnalysisACM Computing Surveys10.1145/319132951:4(1-36)Online publication date: 6-Jul-2018
https://dl.acm.org/doi/10.1145/3191329
Khalil IGuan BNabeel MYu TZhao ZAhn GKrishnan RGhinita G(2018)A Domain is only as Good as its BuddiesProceedings of the Eighth ACM Conference on Data and Application Security and Privacy10.1145/3176258.3176329(330-341)Online publication date: 13-Mar-2018
https://dl.acm.org/doi/10.1145/3176258.3176329
Fang CLiu JAnsari N(2018)Revealing connectivity structural patterns among web objects based on co-clustering of bipartite request dependency graphWireless Networks10.1007/s11276-016-1345-524:2(439-451)Online publication date: 1-Feb-2018
https://dl.acm.org/doi/10.1007/s11276-016-1345-5
Mohaisen ARen KMohaisen AKui Ren (2017)Leakage of .onion at the DNS RootIEEE/ACM Transactions on Networking10.1109/TNET.2017.271796525:5(3059-3072)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1109/TNET.2017.2717965
Show More Cited By

Abstract

Cited By

Recommendations

Identifying botnets by capturing group activities in DNS traffic

A method for identifying compromised clients based on DNS traffic analysis

Detecting malware based on DNS graph mining

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations