Improving internet security via large-scale passive and active dns monitoring

Antonakakis, Emmanouil Konstantinos

04 June 2012

The Domain Name System (DNS) is a critical component of the Internet. DNS provides the ability to map human-readable and memorable domain names to machine-level IP addresses and other records. These mappings lie at the heart of the Internet's success and are essential for the majority of core Internet applications and protocols. The critical nature of DNS means that it is often the target of abuse. Cyber-criminals rely heavily upon the reliability and scalability of the DNS protocol to serve as an agile platform for their illicit operations. For example, modern malware and Internet fraud techniques rely upon DNS to locate their remote command-and-control (C&C) servers through which new commands from the attacker are issued, serve as exfiltration points for information stolen from the victims' computers, and to manage subsequent updates to their malicious toolset. The research described in this thesis scientifically addresses problems in the area of DNS-based detection of illicit operations. In detail, this research studies new methods to quantify and track dynamically changing reputations for DNS based on passive network measurements. The research also investigates methods for the creation of early warning systems for DNS. These early warning systems enables the research community to identify emerging threats (e.g., new botnets and malware infections) across the DNS hierarchy in a timelier manner.

Anomaly detection

DNS monitoring

Internet security

Internet Management

Anomaly detection (Computer security)

Computer security

Malware (Computer software)

Analyse du DNS et analyse sémantique pour la détection de l'hameçonnage / DNS and semantic analysis for phishing detection

Marchal, Samuel

22 June 2015

L’hameçonnage est une escroquerie moderne qui cible les utilisateurs de communications électroniques et vise à les convaincre de réaliser des actions pour le bénéfice d’un individu nommé hameçonneur. Les attaques d’hameçonnage s’appuient essentiellement sur de l’ingénierie sociale et la plupart de ces attaques utilisent des liens représentés par des noms de domaine et des URLs. Nous proposons donc dans cette thèse de nouvelles solutions, reposant sur une analyse lexicale et sémantique de la composition des noms de domaine et des URLs, pour combattre l’hameçonnage. Ces deux types de pointeurs sont créés et offusqués par les hameçonneurs pour piéger leurs victimes. Ainsi, nous démontrons que les noms de domaine et les URLs utilisés dans des attaques d’hameçonnage présentent des similitudes dans leur composition lexicale et sémantique, et que celles-ci sont différentes des caractéristiques présentées par les noms de domaine et les URL légitimes. Nous utilisons ces caractéristiques pour construire des modèles représentant la composition des URLs et des noms de domaine d’hameçonnage en utilisant des techniques d’apprentissage automatique et des méthodes de traitement du langage naturel. Les modèles construits sont utilisés pour des applications telles que l’identification de noms de domaine et des URLs d’hameçonnage, la notation des URLs et la prédiction des noms de domaine utilisés dans les attaques d’hameçonnage. Les techniques proposées sont évaluées sur des données réelles et elles montrent leur efficacité en répondant aux exigences de vitesse, d’universalité et de fiabilité / Phishing is a kind of modern swindles that targets electronic communications users and aims to persuade them to perform actions for a another’s benefit. Phishing attacks rely mostly on social engineering and that most phishing vectors leverage directing links represented by domain names and URLs, we introduce new solutions to cope with phishing. These solutions rely on the lexical and semantic analysis of the composition of domain names and URLs. Both of these resource pointers are created and obfuscated by phishers to trap their victims. Hence, we demonstrate in this document that phishing domain names and URLs present similarities in their lexical and semantic composition that are different form legitimate domain names and URLs composition. We use this characteristic to build models representing the composition of phishing URLs and domain names using machine learning techniques and natural language processing models. The built models are used for several applications such as the identification of phishing domain names and phishing URLs, the rating of phishing URLs and the prediction of domain names used in phishing attacks. All the introduced techniques are assessed on ground truth data and show their efficiency by meeting speed, coverage and reliability requirements. This document shows that the use of lexical and semantic analysis can be applied to domain names and URLs and that this application is relevant to detect phishing attacks

Détection de l’hameçonnage

Surveillance du DNS

Analyse sémantique

Prédiction de l’hameçonnage

Sécurité de l’Internet

Machine learning

Phishing detection

DNS monitoring

Semantic analysis

URL lexical analysis

Internet security

Machine learning

005.8

Rozšíření aplikace DPDK DNS Probe / The DPDK DNS Probe Application Extension

Doležal, Pavel

January 2019

This master's thesis is focused on extension of the DPDK DNS Probe application that monitors DNS traffic in high speed networks. It presents framework DPDK, which can be used for fast packet processing. General architecture of the DNS system is described as well as details of its components. Basic principles of transport protocol TCP are described. It introduces an effective design and implementation of DNS packet parsing to optimize DPDK DNS Probe's performance. It also introduces a design and implementation of processing DNS messages sent over TCP for export of traffic statistics. The application's performance was tested using a high speed traffic generator Spirent.