دانلود رایگان مقاله استخراج ترافیک DNS فعال با تحلیل گراف برای تشخیص جرایم اینترنتی

Abstract

We consider the analysis of network traffic data for identifying highly agile DNS patterns which are widely considered indicative for cybercrime. In contrast to related approaches, our methodology is capable of explicitly distinguishing between the individual, inherent agility of benign Internet services and criminal sites. Although some benign services use a large number of addresses, they are confined to a subset of IP addresses, due to operational requirements and contractual agreements with certain Content Distribution Networks. We discuss DNSMap, a system which analyzes observed DNS traffic, and continuously learns which FQDNs are hosted on which IP addresses. Any significant changes over time are mapped to bipartite graphs, which are then further pruned for cybercrime activity. Graph analysis enables the detection of transitive relations between FQDNs and IPs, and reveals clusters of malicious FQDNs and IP addresses hosting them. We developed a prototype system which is designed for realtime analysis, requires no costly classifier retraining, and no excessive whitelisting. We evaluate our system using large data sets from an ISP with several 100,000 customers, and demonstrate that even moderately agile criminal sites can be detected reliably and almost immediately.

7. Conclusion

We proposed and discussed a cybercrime detection system which is based on DNS FQDN-to-IP-address mappings. We extract these mappings from traffic data, and find pro- files describing typical FQDN patterns for arbitrary-length IP ranges. Cybercrime uses DNS for combining high service availability with resilience to countermeasures. This agile DNS activity results in changes to the DNS profiles, which we further investigate using graph analysis. In a number of experiments we showed how to target different malware activity and discussed the difficulties of evading our detection system. Further improvements are possible, which we consider for future work. We proposed a very small set of graph query parameters, which of course can be extended. For example, we conducted early experiments using a database for retrieving the total number of DNS queries for a certain suspicious FQDN. Typically, one would especially be interested in groups of malware sites which are looked up by many different hosts, and we expect a further reduction in the number of false alarms by introducing a corresponding feature. Furthermore, additional graph analysis measures (e.g., degree distribution) may yield interesting results. Another promising direction for future work is the integration of additional data. In particular, we will consider the inclusion of information describing the authoritative name servers for the domains represented in our graph. This is related to the ideas presented in [8,13] and is expected to link suspicious domains from different agile groups, and thus provide even better detection performance. Acknowledgments The work of Antonio Pescapé is partially funded by the Italian Ministry of Education, Universities and Research in the context of Art. 11 DM 593/2000 for NM2 SRL. We would like to thank Eduard Natale and Mirko Schiavone for supporting us with the software implementation. This work has been supported by the Austrian Government and by the City of Vienna within the competence center program COMET.