Paper Info
Title
Mining agile DNS traffic using graph analysis for cybercrime detection.
Abstract
We consider the analysis of network traffic data for identifying highly agile DNS patterns which are widely considered indicative for cybercrime. In contrast to related approaches, our methodology is capable of explicitly distinguishing between the individual, inherent agility of benign Internet services and criminal sites. Although some benign services use a large number of addresses, they are confined to a subset of IP addresses, due to operational requirements and contractual agreements with certain Content Distribution Networks. We discuss DNSMap, a system which analyzes observed DNS traffic, and continuously learns which FQDNs are hosted on which IP addresses. Any significant changes over time are mapped to bipartite graphs, which are then further pruned for cybercrime activity. Graph analysis enables the detection of transitive relations between FQDNs and IPs, and reveals clusters of malicious FQDNs and IP addresses hosting them. We developed a prototype system which is designed for realtime analysis, requires no costly classifier retraining, and no excessive whitelisting. We evaluate our system using large data sets from an ISP with several 100,000 customers, and demonstrate that even moderately agile criminal sites can be detected reliably and almost immediately.
Year
DOI
Venue
2016
10.1016/j.comnet.2016.02.009
Computer Networks
Keywords
Field
DocType
Cybercrime detection,Traffic analysis,DNS,Graph analysis,Network monitoring
Traffic analysis,Computer science,Bipartite graph,Computer network,Power graph analysis,Cybercrime,Agile software development,Network monitoring,Distributed computing,The Internet,Transitive relation
Journal
Volume
Issue
ISSN
100
C
1389-1286
Citations 
PageRank 
References 
5
0.44
17
Authors
4
Name
Order
Citations
PageRank
Andreas Berger1505.92
Alessandro D'Alconzo233026.01
Wilfried N. Gansterer331135.07
Antonio Pescapè4107687.91