Page 60 - Read Online
P. 60

Kim et al. J Surveill Secur Saf 2020;1:34-60  I  http://dx.doi.org/10.20517/jsss.2020.14                                                               Page 53

               malware-related domains.
                                        [61]
               (2) Domain Watcher System : A detection system that detects malicious domain names with local and
               global textual-based features based on machine learning. This system utilizes three textual features of
               domains - Lexical features, imitation features, and bi-gram features. First, they use the lexical features
                                                                                            [60]
               to combine the existing characteristic data provided by systems such as EXPOSURE  or Detection
                                 [62]
               of Phishing Attacks  and new characteristics, such as the number of special characters and numeric
               characters in the domain name or the number of continuous numeric characters, to easily fetch and
               normalize the pattern. Imitation features and bi-gram features both utilize the domain information,
               but imitation looks at the distance between domain names, while bi-gram looks at the similarity of the
               distribution of letters in domain names.
                       [63]
               (3) Anax : A DNS protection system that detects the cache poisoning attack using a large set of
               open recursive DNS servers (ORDNSs), identifying poisoned DNS caches through DNS records. An
               infrastructure is added to intercept DNS responses (DNS Scanning Points) and collect and process the
               resulting data (DNS Data Collector). A Data Preparation Engine analyzes and labels this data, offline,
               in training mode. A Detection Engine then monitors in real-time DNS responses and flags suspicious
               responses as poisoning attempts.
                                                          [59]
               (4) Notos-Dynamic Reputation System for DNS : a dynamic reputation system to compute scores of
               domain names. The goal is to determine if a domain is legitimate or malicious using malicious domains’
               distinctive features or characteristics.

                                                                                [64]
               Other methods of DNS attack detection have been proposed. Zhang et al.  introduces a new detection
               method based on machine learning and hybrid methods, which obtains DNS data through active domain
                                                             [65]
               name data or passive domain name data. Palau et al.  proposes an approach to detect DNS tunneling,
               based on a Convolutional Neural Network (CNN) with a minimal architecture complexity. Also, they
               use their dataset that contains DNS Tunneling domains generated with five well-known DNS tools. The
               resulting CNN model correctly detected more than 92% of total Tunneling domains with a false positive
                                              [66]
               rate close to 0.8%. Rajendran et al.  uses specific properties of DNS amplification and DNS tunneling
               attacks and presents a number of countermeasures and mitigation techniques to protect against these
               attacks on the DNS infrastructure.

               Fast Flux generates a variety of domain names based on specific algorithms to avoid suppression. Normal
               DNS-based detection approaches and blacklist filtering are ineffective against the Fast Flux attack. Methods
               for analyzing new DNS traffic patterns using these Fast Flux characteristics have been developed. These
               methods recognize the overwhelmingly large or abnormal DNS traffic, filtering the suspicious DNS
               mapping, and detecting domains of pseudorandom strings generated by the algorithm compared with
               legitimate domain patterns [67-69] . In particular, DNSMap  can quickly identify excessive DNS traffic in real-
                                                              [67]
               time by analyzing the DNS mapping of abnormal domains and IP addresses through graphical analysis,
               unlike conventional methods of domain analysis based on machine learning.

               5.2.2 Security extension of DNS records
               DNS records provide information about domains that are needed by users. More information may be added
               to provide data integrity and improve/extend trust. Several methods attempt to do so with less overhead
               than DNSSEC.

               (1) The Transaction SIGnature (TSIG) using CGA (Cryptographically Generated Addresses) Algorithm
                     [70]
               in IPv6 : DNS has a security problem between the client and the DNS resolver due to the untrustworthy
               resolver as discussed in the ‘Vulnerabilities’ section. To address this issue, TSIG is used. TSIG establishes
               a trust relationship between a client and a DNS server. This process provides not only end-to-end
               authentication but also data integrity between each other through a one-way hash algorithm and shared
   55   56   57   58   59   60   61   62   63   64   65