A centralized monitoring infrastructure for improving DNS security

Manos Antonakakis, David Dagon, Xiapu Luo, Roberto Perdisci, Wenke Lee, Justin Bellmor

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

24 Citations (Scopus)

Abstract

Researchers have recently noted (14; 27) the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. Further, existing DNS protection systems, including bailiwick-checking (12) and IDS-style filtration, do not stop this type of DNS poisoning. We therefore propose Anax, a DNS protection system that detects poisoned records in cache. Our system can observe changes in cached DNS records, and applies machine learning to classify these updates as malicious or benign. We describe our classification features and machine learning model selection process while noting that the proposed approach is easily integrated into existing local network protection systems. To evaluate Anax, we studied cache changes in a geographically diverse set of 300,000 open recursive DNS servers (ORDNSs) over an eight month period. Using hand-verified data as ground truth, evaluation of Anax showed a very low false positive rate (0.6% of all new resource records) and a high detection rate (91.9%).
Original languageEnglish
Title of host publicationRecent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings
Pages18-37
Number of pages20
DOIs
Publication statusPublished - 19 Nov 2010
Externally publishedYes
Event13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010 - Ottawa, ON, Canada
Duration: 15 Sep 201017 Sep 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6307 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010
Country/TerritoryCanada
CityOttawa, ON
Period15/09/1017/09/10

Keywords

  • Attack Detection
  • DNS Poisoning
  • Local Network Protection

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this