research-article

Open access

Unsupervised Learning Techniques for Malware Characterization: Understanding Certain DNS-based DDoS Attacks

Author:

Renée BurtonAuthors Info & Claims

Digital Threats: Research and Practice , Volume 1, Issue 3

Article No.: 14, Pages 1 - 26

https://doi.org/10.1145/3377869

Published: 04 August 2020 Publication History

All formats PDF

Abstract

This article details data science research in the area of Cyber Threat Intelligence applied to a specific type of Distributed Denial of Service (DDoS) attack. We study a DDoS technique prevalent in the Domain Name System (DNS) for which little malware have been recovered. Using data from a globally distributed set of a passive collectors (pDNS), we create a statistical classifier to identify these attacks and then use unsupervised learning to investigate the attack events and the malware that generates them. The first known major study of this technique, this work demonstrates that current attacks have little resemblance to earlier published descriptions and identifies several features of the attacks. Through a combination of text and time-series features, we are able to characterize the dominant malware and demonstrate that the number of global-scale attack systems is relatively small.

References

[1]

Yehuda Afek, Anat Bremler-Barr, Edith Cohen, Shir Landau Feibish, and Michal Shagam. 2016. Efficient distinct heavy hitters for DNS DDoS attack detection. arXiv e-prints, Article arXiv:1612.02636 (Dec. 2016).

[2]

AFNIC. 2014. Random Qnames—Dafa888 DoS Attack, Presentation on October 2013 Attack on AFNIC. Retrieved from ps://indico.dns-oarc.net/event/20/contributions/278/attachments/242/452/dafa888-DosAttack.pdf.

[3]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai botnet. In Proceedings of the USENIX Security Symposium. USENIX Association. 1093--1110.

[4]

Renée Burton and Cameron Switzer. 2018. ExploderBot: A Slow Drip Attack System. National Security Agency Technical Report. National Security Agency, Fort Meade, MD.

[5]

Ricardo J. G. B. Campello, Davoud Moulavi, and Joerg Sander. 2013. Density-based clustering based on hierarchical density estimates. In Advances in Knowledge Discovery and Data Mining, Jian Pei, Vincent S. Tseng, Longbing Cao, Hiroshi Motoda, and Guandong Xu (Eds.). Springer Berlin, 160--172.

[6]

Emmet Cassidy. 2014. A DNS Cache-Busting Technique for DDoS-style Attacks Against Authoritative Name Servers. Retrieved from https://blog.cloudmark.com/2014/10/07/ character analysis of slow drip attacks.

[7]

D. M. Endres and J. E. Schindelin. 2003. A new metric for probability distributions. IEEE Transa. Inf. Theor 49, 7 (2003), 1858--1860.

Digital Library

[8]

Martin Ester, Hans-Peter Kriegel, Jiirg Sander, and Xiaowei Xu. 1996. A density-based algorithm for discovering clusters in large spatial databases with Noise. In Proceedings of the SIG-KDD.

[9]

L. McInnes and J. Healy. 2018. UMAP: Uniform manifold approximation and projection for dimension reduction. ArXiv e-prints 1802.03426, 2018.

[10]

Bert Hubert. 2018. Herding the DNS Camel. Retrieved from https://www.ietf.org/blog/herding-dns-camel/.

[11]

Mattijs Jonker, Alistair King, Johannes Krupp, Christian Rossow, Anna Sperotto, and Alberto Dainotti. 2017. Millions of targets under attack: A macroscopic characterization of the DoS ecosystem. In Proceedings of the Internet Measurement Conference (IMC’17). ACM, New York, NY, 100--113.

[12]

Michael Joost. 2014. About DNS Attacks and Destination Unreachable Reports. Retrieved from https://michael-joost.de/dnsterror.html.

[13]

Anestis Karasaridis. 2012. DNS Security: In-depth Vulnerability Analysis and Mitigation Solutions. Amazon.com Services LLC, ASIN B007ZW50WE. https://www.amazon.com/DNS-Security-depth-Vulnerability-Mitigation-ebook/dp/B007ZW50WE.

[14]

Antiy Labs. 2017. A Description of Magic Ferret, a.k.a. Weasel, DDOS malware. Retrieved from www.antiy.com/response/weasel.html.

[15]

Cricket Liu and Paul Albitz. 2006. DNS and BIND. O’Reilly.

[16]

Ya Liu. 2016. Improve DDoS Botnet Tracking with Honeypots. Retrieved from https://www.botconf.eu/botconf-2016/.

[17]

Ziqian Liu. 2009. Lessons Learned from May 19 China’s DNS Collapse. Retrieved from https://www.dns-oarc.net/files/workshop-200911/Ziqian_Liu.pdf.

[18]

Leland McInnes, John Healy, and James Melville. 2018. UMAP: Uniform manifold approximation and projection for dimension reduction. arXiv e-prints, Article arXiv:1802.03426v2. (Dec. 2018).

[19]

n00py. 2018. All Wordlists for Every DNS Enumeration Tool… Ever. Retrieved from https://gist.github.com/n00py/2cba6990e4dacc52c5536346338f6f1e.

[20]

Kei Nishida. 2015. Water Torture: A Slow Drip DNS DDoS Attack on QTNet. Retrieved from https://www.slideshare.net/apnic/dnswatertortureonqtnet-1425130417-1425507043.

[21]

Yuya Takeuchi, Takuro Yoshida, Ryotaro Kobayashi, Masahiko Kato, and Hiroyuki Kishimoto. 2016. Detection of the DNS water torture attack by analyzing features of the subdomain name. J. Inf. Proc. 24, 5 (2016), 793--801.

[22]

Ralf Weber. 2014. Latest Internet Plague: Random Subdomain Attacks. Retrieved from https://www.youtube.com/watch?v=BDa2akVgbLg.

Cited By

Hasegawa KKondo DOsumi MTode H(2023)Collaborative Defense Framework Using FQDN-Based Allowlist Filter Against DNS Water Torture AttackIEEE Transactions on Network and Service Management10.1109/TNSM.2023.327788020:4(3968-3983)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1109/TNSM.2023.3277880
Smith DKhorsandroo SRoy K(2023)Supervised and Unsupervised Learning Techniques Utilizing Malware Datasets2023 IEEE 2nd International Conference on AI in Cybersecurity (ICAIC)10.1109/ICAIC57335.2023.10044169(1-7)Online publication date: 7-Feb-2023
https://doi.org/10.1109/ICAIC57335.2023.10044169
Dagur PShreya Ghosh RRakshit GBiswas AGhosh M(2023)Computational Methods in Natural Products-Based Drug DiscoveryCADD and Informatics in Drug Discovery10.1007/978-981-99-1316-9_5(99-121)Online publication date: 13-May-2023
https://doi.org/10.1007/978-981-99-1316-9_5
Show More Cited By

Index Terms

Unsupervised Learning Techniques for Malware Characterization: Understanding Certain DNS-based DDoS Attacks
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Unsupervised learning
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Network security
    1. Denial-of-service attacks

Recommendations

Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
The Next Malware Battleground: Recovery After Unknown Infection

Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Characterization, Detection and Mitigation of Low-Rate DoS attack
ICTCS '14: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive Strategies

Now a day's web services become key aspect of life. Unfortunately there are several threats to these services. These threats are phishing, e-mail borne viruses, Trojan horse programs, Denial of Service etc. Among of them Distributed Denial of Service ...

Comments

Information & Contributors

Information

Published In

cover image Digital Threats: Research and Practice

Digital Threats: Research and Practice Volume 1, Issue 3

Field Notes

September 2020

93 pages

EISSN:2576-5337

DOI:10.1145/3415596

Editors:
Arun Lakhotia
University of Louisiana at Lafayette and Cythereal, USA
,
Leigh Metcalf
CERT, USA

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 August 2020

Online AM: 07 May 2020

Accepted: 01 December 2019

Revised: 01 December 2019

Received: 01 April 2019

Published in DTRAP Volume 1, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
1,778
Total Downloads

Downloads (Last 12 months)352
Downloads (Last 6 weeks)39

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hasegawa KKondo DOsumi MTode H(2023)Collaborative Defense Framework Using FQDN-Based Allowlist Filter Against DNS Water Torture AttackIEEE Transactions on Network and Service Management10.1109/TNSM.2023.327788020:4(3968-3983)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1109/TNSM.2023.3277880
Smith DKhorsandroo SRoy K(2023)Supervised and Unsupervised Learning Techniques Utilizing Malware Datasets2023 IEEE 2nd International Conference on AI in Cybersecurity (ICAIC)10.1109/ICAIC57335.2023.10044169(1-7)Online publication date: 7-Feb-2023
https://doi.org/10.1109/ICAIC57335.2023.10044169
Dagur PShreya Ghosh RRakshit GBiswas AGhosh M(2023)Computational Methods in Natural Products-Based Drug DiscoveryCADD and Informatics in Drug Discovery10.1007/978-981-99-1316-9_5(99-121)Online publication date: 13-May-2023
https://doi.org/10.1007/978-981-99-1316-9_5
Wala FCotton C(2022)“Off-Label” Use of DNSDigital Threats: Research and Practice10.1145/34912613:3(1-13)Online publication date: 7-Mar-2022
https://dl.acm.org/doi/10.1145/3491261
Adu-Gyamfi DKwansah Ansah AArmah GAlornyo SAdom DZhang F(2022)Towards bitcoin transaction anonymity with recurrent attack preventionInternational Journal of System Assurance Engineering and Management10.1007/s13198-021-01506-z13:4(1-17)Online publication date: 21-Jan-2022
https://doi.org/10.1007/s13198-021-01506-z
Patil NRama Krishna CKumar K(2021)Distributed frameworks for detecting distributed denial of service attacks: A comprehensive review, challenges and future directionsConcurrency and Computation: Practice and Experience10.1002/cpe.619733:10Online publication date: 23-Jan-2021
https://doi.org/10.1002/cpe.6197

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents