Flexible Traffic and Host Profiling via DNS Rendezvous
نویسندگان
چکیده
The ability to accurately classify network traffic and to perform timely detection of the presence of unwanted classes of traffic has important implications for network operations and security. In recent years, classification has become more challenging due to applications that use ports that are not wellknown, that overload or masquerade with other applications’ well-known ports, and that may encrypt or otherwise obfuscate their payload. The goal of our work is to develop a method for traffic classification that is flexible, i.e., that can be used to create arbitrary organizations of traffic from coarse to finegrained groups, and can identify encrypted traffic as well as new applications. In this paper, we present a novel method for classification based on analyzing rendezvous traffic (i.e., the traffic preamble in which a given host determines the remote IP address of a peer host or service) that usually precedes application traffic. Our approach exploits the most widely used rendezvous service, the Domain Name System (DNS). Specifically, through careful tracking of client IP addresses, alpha-numeric domain names, and answer IP addresses in rendezvous traffic, we apply classification labels to end-hosts and their traffic reported by flow-export data. Additionally, we present the notion of host profiling as a method for expanding traffic classification in cases where there is not a direct match between rendezvous traffic and application traffic. To assess the feasibility of our method, we perform a focused case study on one day in the lives of two drastically different user end-host populations: office and residential. Our results demonstrate the efficacy and capability of a DNS rendezvous-based method of classification that performs well even in situations where application payload is encrypted (or unavailable) or when application traffic is monitored by packet sampling.
منابع مشابه
Host Identity Protocol (HIP) Domain Name System (DNS) Extensions
Status of This Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Abstract This document specifies a new resource record (RR) for the Domain Name System (DNS), and how to use it with the Host Identity Protocol (HIP). Thi...
متن کاملDetection of NS Resource Record DNS Resolution Traffic, Host Search, and SSH Dictionary Attack Activities
We carried out an entropy study on the DNS query traffic from the Internet to the top domain DNS server in a university campus network through January 1st to March 31st, 2009. The obtained results are: (1) We observed a difference for the entropy changes among the total-, the A-, and the PTR resource records (RRs) based DNS query traffic from the Internet through January 17th to February 1st, 2...
متن کاملDetecting Active Bot Networks Based on DNS Traffic Analysis
Abstract—One of the serious threats to cyberspace is the Bot networks or Botnets. Bots are malicious software that acts as a network and allows hackers to remotely manage and control infected computer victims. Given the fact that DNS is one of the most common protocols in the network and is essential for the proper functioning of the network, it is very useful for monitoring, detecting and redu...
متن کامل- Draft Ericsson Research Nomadic Lab
Host Identity Protocol (HIP) Domain Name System (DNS) Extensions draft-ietf-hip-dns-00 Status of this Memo This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she beco...
متن کاملA study of the impact of DNS resolvers on CDN performance using a causal approach
Resources such as Web pages or videos that are published in the Internet are referred to by their Uniform Resource Locator (URL). If a user accesses a resource via its URL, the host name part of the URL needs to be translated into a routable IP address. This translation is performed by the Domain Name System service (DNS). DNS also plays an important role when Content Distribution Networks (CDN...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2011