Paper Info
Title
A centralized monitoring infrastructure for improving DNS security
Abstract
Researchers have recently noted (14; 27) the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. Further, existing DNS protection systems, including bailiwick-checking (12) and IDS-style filtration, do not stop this type of DNS poisoning. We therefore propose Anax, a DNS protection system that detects poisoned records in cache. Our system can observe changes in cached DNS records, and applies machine learning to classify these updates as malicious or benign. We describe our classification features and machine learning model selection process while noting that the proposed approach is easily integrated into existing local network protection systems. To evaluate Anax, we studied cache changes in a geographically diverse set of 300,000 open recursive DNS servers (ORDNSs) over an eight month period. Using hand-verified data as ground truth, evaluation of Anax showed a very low false positive rate (0.6% of all new resource records) and a high detection rate (91.9%).
Year
DOI
Venue
2010
10.1007/978-3-642-15512-3_2
RAID
Keywords
Field
DocType
cached dns record,dns resolvers,cache change,open recursive dns server,dns protection system,centralized monitoring infrastructure,dns security,fast poisoning attack,local network protection system,dns server,high detection rate,dns poisoning,false positive rate,model selection,ground truth,machine learning
False positive rate,Computer science,Computer security,Cache,Server,Model selection,Round-robin DNS,Ground truth,Local area network,DNS spoofing
Conference
Volume
ISSN
ISBN
6307
0302-9743
3-642-15511-1
Citations 
PageRank 
References 
19
1.26
8
Authors
6
Name
Order
Citations
PageRank
Manos Antonakakis170236.70
David Dagon21635131.25
Xiapu Luo31302110.23
Roberto Perdisci4213797.99
Wenke Lee59351628.83
Justin Bellmor6191.26