Monitoring Security of Enterprise Hosts via DNS Data Analysis

TL;DR

This paper presents a method for monitoring enterprise host security by analyzing DNS data, detecting covert attacks like data exfiltration and malware C&C communication using machine learning on large-scale DNS traffic.

Contribution

It introduces a novel approach leveraging big data analysis and machine learning to detect DNS-based cyber-attacks in enterprise environments, addressing limitations of existing security appliances.

Findings

Effective detection of DNS-based attacks in real-world data

High accuracy in identifying data exfiltration and C&C communication

Demonstrated scalability with over 10 billion DNS packets

Abstract

Enterprise Networks are growing in scale and complexity, with heterogeneous connected assets needing to be secured in different ways. Nevertheless, virtually all connected assets use the Domain Name System (DNS) for address resolution, and DNS has thus become a convenient vehicle for attackers to covertly perform Command and Control (C&C) communication, data theft, and service disruption across a wide range of assets. Enterprise security appliances that monitor network traffic typically allow all DNS traffic through as it is vital for accessing any web service; they may at best match against a database of known malicious patterns, and are therefore ineffective against zero-day attacks. This thesis focuses on three high-impact cyber-attacks that leverage DNS, specifically data exfiltration, malware C&C communication, and service disruption. Using big data (over 10B packets) of DNS network traffic collected from a University campus and a Government research organization over a 6-month period, we illustrate the anatomy of these attacks, train machines for automatically detecting such attacks, and evaluate their efficacy in the field.