[en] The DNS structure discloses useful information about the organization and the operation of an enterprise network, which can be used for designing attacks as well as monitoring domains supporting malicious activities. Thus, this paper introduces a new method for exploring the DNS domains. Although our previous work described a tool to generate existing DNS names accurately in order to probe a domain automatically, the approach is extended by leveraging semantic analysis of domain names. In particular, the semantic distributional similarity and relatedness of sub-domains are considered as well as sequential patterns. The evaluation shows that the discovery is highly improved while the overhead remains low, comparing with non semantic DNS probing tools including ours and others.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust
Disciplines :
Computer science
Identifiers :
UNILU:UL-CONFERENCE-2012-109
Author, co-author :
Marchal, Samuel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
François, Jérôme ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Wagner, Cynthia ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Engel, Thomas ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Language :
English
Title :
Semantic Exploration of DNS
Publication date :
May 2012
Event name :
Networking 2012
Event organizer :
Czech Technical University in Prague
Event place :
Prague, Czechia
Event date :
21-25 May 2012
Audience :
International
Main work title :
Proceedings of the 11th International IFIP TC 6 Networking Conference, Prague, Czech Republic, May 21-25 2012
Backtrack linux - penetration testing distribution (accessed on 08/22/11), www.backtrack-linux.org
Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A Centralized Monitoring Infrastructure for Improving DNS Security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18-37. Springer, Heidelberg (2010)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: Finding malicious domains using passive dns analysis. In: Network and Distributed System Security Symposium, NDSS (2011)
Budanitsky, A., Hirst, G.: Evaluating wordnet-based measures of lexical semantic relatedness. Comput. Linguist. 32 (March 2006)
Crawford, H., Aycock, J.: Kwyjibo: automatic domain name generation. Software Practice and Experience 38, 1561-1567 (2008)
Dagon, D., Lee, W.: Global internet monitoring using passive dns. In: Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pp. 163-168. IEEE Computer Society, Washington, DC (2009)
Hao, S., Feamster, N., Pandrangi, R.: An internet wide view into DNS lookup patterns. Tech. rep., School of Computer Science, Georgia Tech (June 2010)
Hindle, D.: Noun classification from predicate-argument structures. In: 28th Annual Meeting on Association for Computational Linguistics, ACL. Association for Computational Linguistics (1990)
Kamra, A., Feng, H., Misra, V., Keromytis, A.: The effect of dns delays on worm propagation in an ipv6 internet. In: Proceedings of IEEE Infocom. IEEE, Miami (2005)
Kilgarriff, A.: Thesauruses for natural language processing. In: Natural Language Processing and Knowledge Engineering (October 2003)
Kolb, P.: Experiments on the difference between semantic similarity and relatedness. In: 17th Nordic Conference of Computational Linguistics NODALIDA. Northern European Association for Language Technology (2009)
Lin, D.: Automatic retrieval and clustering of similar words. In: 17th International Conference on Computational Linguistics - COLING. Association for Computational Linguistics (1998)
Manning, C.D., Schütze, H.: Foundations of Statistical Natural Language Processing. MIT Press, Cambridge (1999)
Mockapetris, P.: Rfc 1035: Domain names - implementation and specification
Mockapetris, P., Dunlap, K.: Development of the domain name system. In: Proceedings of the 1988 ACM SIGCOMM, pp. 123-133. IEEE Computer Society, Stanford (1988)
Perdisci, R., Corona, I., Dagon, D., Lee, W.: Detecting malicious flux service networks through passive analysis of recursive dns traces. In: Proceedings of ACSAC 2009, pp. 311-320 (2009)
Plonka, D., Barford, P.: Context-aware clustering of dns query traffic. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, IMC 2008, pp. 217-230. ACM, New York (2008)
Segaran, T., Hammerbacher, J.: Beautiful Data: The Stories Behind Elegant Data Solutions, ch. 14. O'Reilly Media (2009), http://norvig.com/ngrams/
Wagner, C., François, J., State, R., Engel, T., Dulaunoy, A., Wagener, G.: Sdbf: Smart dns brute-forcer. In: To Appear in IEEE/IFIP Network Operations and Management Symposium - NOMS, Miniconference. IEEE Computer Society (2012)
Weimer, F.: Passive DNS replication. In: Conference on Computer Security Incident Handling (2005)
Weir, M., Aggarwal, S., Medeiros, B.D., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Symposium on Security and Privacy. IEEE
Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th Annual Conference on Internet Measurement, IMC 2010, pp. 48-61. ACM, New York (2010)
