Scalable analytics to detect DNS misuse for establishing stealthy communication channels

D. L. Schales, J. Jang, T. Wang, X. Hu, D. Kirat, B. Wuest, M. P. Stoecklin

Research output: Contribution to journalArticlepeer-review

6 Scopus citations

Abstract

The Domain Name System (DNS) protocol is one of the few application protocols that are allowed to cross network perimeters of organizations. However, comprehensive monitoring of DNS traffic has been often overlooked in many organizations' cybersecurity strategies. As such, DNS provides a highly attractive channel for advanced threat actors and botnet operators to establish hard-to-block and stealthy communication channels between infected devices and command-and-control (CC) infrastructures. Fast-fluxing (FF) and domain name generation algorithms (DGAs) are two well-known public DNS exploitation techniques to build agile CC infrastructures. The detection of FF and DGA domain names is a big data problem, as it requires analyzing millions of DNS queries and replies over extended time periods. In this paper, we propose two algorithms to perform DNS analytics and effectively detect FF and DGA domain names. More importantly, we describe how the algorithms are implemented using two big data processing models: MapReduce and Feature Collection and Correlation Engine. The algorithms and implementation proposed are iterative and scale over long analysis periods. We describe the implementations and provide an evaluation complemented with case studies on 50 days of real-world DNS data consisting of more than 40 billion events, collected within a large corporate network.

Original languageEnglish (US)
Article number7523348
JournalIBM Journal of Research and Development
Volume60
Issue number4
DOIs
StatePublished - Jul 1 2016

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Fingerprint Dive into the research topics of 'Scalable analytics to detect DNS misuse for establishing stealthy communication channels'. Together they form a unique fingerprint.

Cite this