Detecting DNS hijacking by using NetFlow data

Martin  Fejrskov; Jens Myrup Pedersen; Emmanouil Vasilomanolakis

doi:10.1109/CNS56114.2022.9947264

Detecting DNS hijacking by using NetFlow data

Martin Fejrskov, Jens Myrup Pedersen, Emmanouil Vasilomanolakis

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

362 Downloads (Orbit)

Abstract

DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.

Original language	English
Title of host publication	Proceedings of 10^th IEEE Conference on Communications and Network Security
Number of pages	8
Publisher	IEEE
Publication date	2022
ISBN (Print)	978-1-6654-6256-3
DOIs	https://doi.org/10.1109/CNS56114.2022.9947264
Publication status	Published - 2022
Event	10^th annual IEEE Conference on Communications and Network Security - Hilton Austin, Austin, United States Duration: 3 Oct 2022 → 5 Oct 2022 https://cns2022.ieee-cns.org/

Conference

Conference	10^th annual IEEE Conference on Communications and Network Security
Location	Hilton Austin
Country/Territory	United States
City	Austin
Period	03/10/2022 → 05/10/2022
Internet address	https://cns2022.ieee-cns.org/

Keywords

NetFlow
IPFix
DNS
Hijacking
Malware

Access to Document

10.1109/CNS56114.2022.9947264

FulltextAccepted author manuscript, 314 KB

OpenUrl availability

Full text

Cite this

@inproceedings{214bded877044ccfb65846d25c922fd7,

title = "Detecting DNS hijacking by using NetFlow data",

abstract = "DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.",

keywords = "NetFlow, IPFix, DNS, Hijacking, Malware",

author = "Martin Fejrskov and Pedersen, \{Jens Myrup\} and Emmanouil Vasilomanolakis",

year = "2022",

doi = "10.1109/CNS56114.2022.9947264",

language = "English",

isbn = "978-1-6654-6256-3",

booktitle = "Proceedings of 10th IEEE Conference on Communications and Network Security",

publisher = "IEEE",

address = "United States",

note = "10<sup>th</sup> annual IEEE Conference on Communications and Network Security, CNS 2022 ; Conference date: 03-10-2022 Through 05-10-2022",

url = "https://cns2022.ieee-cns.org/",

}

TY - GEN

T1 - Detecting DNS hijacking by using NetFlow data

AU - Fejrskov, Martin

AU - Pedersen, Jens Myrup

AU - Vasilomanolakis, Emmanouil

PY - 2022

Y1 - 2022

N2 - DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.

AB - DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.

KW - NetFlow

KW - IPFix

KW - DNS

KW - Hijacking

KW - Malware

U2 - 10.1109/CNS56114.2022.9947264

DO - 10.1109/CNS56114.2022.9947264

M3 - Article in proceedings

SN - 978-1-6654-6256-3

BT - Proceedings of 10th IEEE Conference on Communications and Network Security

PB - IEEE

T2 - 10<sup>th</sup> annual IEEE Conference on Communications and Network Security

Y2 - 3 October 2022 through 5 October 2022

ER -

Detecting DNS hijacking by using NetFlow data

Abstract

Conference

Keywords

Access to Document

OpenUrl availability

Fingerprint

Cite this