TY - GEN
T1 - A centralized monitoring infrastructure for improving DNS security
AU - Antonakakis, Manos
AU - Dagon, David
AU - Luo, Xiapu
AU - Perdisci, Roberto
AU - Lee, Wenke
AU - Bellmor, Justin
PY - 2010/11/19
Y1 - 2010/11/19
N2 - Researchers have recently noted (14; 27) the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. Further, existing DNS protection systems, including bailiwick-checking (12) and IDS-style filtration, do not stop this type of DNS poisoning. We therefore propose Anax, a DNS protection system that detects poisoned records in cache. Our system can observe changes in cached DNS records, and applies machine learning to classify these updates as malicious or benign. We describe our classification features and machine learning model selection process while noting that the proposed approach is easily integrated into existing local network protection systems. To evaluate Anax, we studied cache changes in a geographically diverse set of 300,000 open recursive DNS servers (ORDNSs) over an eight month period. Using hand-verified data as ground truth, evaluation of Anax showed a very low false positive rate (0.6% of all new resource records) and a high detection rate (91.9%).
AB - Researchers have recently noted (14; 27) the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. Further, existing DNS protection systems, including bailiwick-checking (12) and IDS-style filtration, do not stop this type of DNS poisoning. We therefore propose Anax, a DNS protection system that detects poisoned records in cache. Our system can observe changes in cached DNS records, and applies machine learning to classify these updates as malicious or benign. We describe our classification features and machine learning model selection process while noting that the proposed approach is easily integrated into existing local network protection systems. To evaluate Anax, we studied cache changes in a geographically diverse set of 300,000 open recursive DNS servers (ORDNSs) over an eight month period. Using hand-verified data as ground truth, evaluation of Anax showed a very low false positive rate (0.6% of all new resource records) and a high detection rate (91.9%).
KW - Attack Detection
KW - DNS Poisoning
KW - Local Network Protection
UR - http://www.scopus.com/inward/record.url?scp=78249250853&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-15512-3_2
DO - 10.1007/978-3-642-15512-3_2
M3 - Conference article published in proceeding or book
SN - 3642155111
SN - 9783642155116
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 18
EP - 37
BT - Recent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings
T2 - 13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010
Y2 - 15 September 2010 through 17 September 2010
ER -