Effective Mechanism for Blocking DNS Based Misbehaviours and Web Content Modification

International Journal of Computer Science (IJCS Journal) Published by SK Research Group of Companies (SKRGC) Scholarly Peer Reviewed Research Journals

Format: Volume 2, Issue 1, No 4, 2014.

Copyright: All Rights Reserved ©2014

Year of Publication: 2014

Author: K.Priyadharshini

Reference:IJCS-048

View PDF Format

Abstract

Domain Name System (DNS) queries for botnet command and control provides a distributed infrastructure for storing, updating, and disseminating data that conveniently fits the need for a large-scale command and control system. The HTTP protocol is for the end-to-end communication between a client and a server. DNS provides not only a means of communication between computers, but also systematic mechanisms for naming, locating, distributing, and caching resources without tolerance. These features of DNS may be utilized to fullfill more effective command-and-control system than what HTTP servers may provide. The DNS server then responds with the appropriate data using the agreed upon semantics. We identify several groups of features that allow Disclosure to reliably distinguish C&C channels from benign traffic using Net Flow records to reduce Disclosure's false positive rate, we incorporate a number of external reputation scores into our system's detection procedure. We provide an extensive evaluation of Disclosure over two large, real-world networks. Our evaluation demonstrates that Disclosure is able to perform real-time detection of botnet C&C channels over datasets on the order of billions of flows per day. The DNS server is one of the primary and most vulnerable infrastructure components through which communications service providers suffer Denial of Service and Distributed Denial of Service attacks. Attackers, in particular botnet controllers, use stealthy messaging systems to set up large-scale command and control for web content defacing.Domain Name System (DNS) queries for botnet command and control provides a distributed infrastructure for storing, updating, and disseminating data that conveniently fits the need for a large-scale command and control system. The HTTP protocol is for the end-to-end communication between a client and a server. DNS provides not only a means of communication between computers, but also systematic mechanisms for naming, locating, distributing, and caching resources without tolerance. These features of DNS may be utilized to fullfill more effective command-and-control system than what HTTP servers may provide. The DNS server then responds with the appropriate data using the agreed upon semantics. We identify several groups of features that allow Disclosure to reliably distinguish C&C channels from benign traffic using Net Flow records to reduce Disclosure's false positive rate, we incorporate a number of external reputation scores into our system's detection procedure. We provide an extensive evaluation of Disclosure over two large, real-world networks. Our evaluation demonstrates that Disclosure is able to perform real-time detection of botnet C&C channels over datasets on the order of billions of flows per day. The DNS server is one of the primary and most vulnerable infrastructure components through which communications service providers suffer Denial of Service and Distributed Denial of Service attacks. Attackers, in particular botnet controllers, use stealthy messaging systems to set up large-scale command and control for web content defacing.

References

[1] Andreas Wespi, Herve Debar and Marc Dacier and (1999) ―Towards a taxonomy of intrusion-detection systems‖ ,Computer Networks 805–822. [2] Angelos Stavrou, AnupK.Ghosh,SushilJajodiaandYih Huang,(2008)―Efficiently Tracking Application Interactions using Lightweight Virtualization‖ACM 978-1-60558-298-6/08/10. [3] Balduzzi .M,Bilge.L, Kirda.E, and Kruegel.C (2011), ―Exposure: Finding Malicious Domains Using Passive DNS Analysis,‖ Proc. 18th Ann. Network and Distributed System Security Symp. (NDSS). [4] Bos.H, Dietrich.C.J, Freiling.F.C, Rossow.C, Pohlmann.N and van Steen.M (2011), ―On Botnetsthat Use DNS for Command and Control,‖ Proc. European Conf. Computer Network Defense. [5] Butler.P, Xu.K and Yao.D (2011),―Quantitatively Analyzing Stealthy Communication Channels,‖ Proc. Ninth Int’l Conf. Applied Cryptography and Network Security (ACNS ’11), pp. 238-254. [6] Dagon.D, ―Botnet Detection and Response, the Network Is the Infection (2005),‖ Proc. Domain Name System Operations Analysis and Research Center Workshop. [7] Monrose.F, Provos.N, Rajab.M.A and Terzis.A (2008), ―Peeking through the Cloud: DNS-Based Estimation and Its Applications,‖ Proc. Sixth Int’l Conf. Applied Cryptography and Network Security (ACNS), [8] Moskowitz.I.S, Newman.R.E, Syverson.P and Serjantov.A(2003), ―Metrics for Traffic Analysis Prevention,‖ Proc. Privacy Enhancing Technologies Workshop (PET ’03), pp. 48-65. [9] Nick Mathewson, Paul Syversonand Roger Dingle dine (2004) ―Tor: The Second-Generation Onion Router‖,Proceedings of the13th USENIX Security Symposium. [10] Shang.H and Willis.C.E (2006), ‖Piggybacking Related Domain Names to Improve DNS Performance, ‖Computer Networks,vol.50,no.11,pp. 1733-1748.


Keywords

Network security, DNS security, botnet detection, and command and control.

This work is licensed under a Creative Commons Attribution 3.0 Unported License.   

TOP
Facebook IconYouTube IconTwitter IconVisit Our Blog