Abstract | The Domain Name System (DNS) is an essential protocolused by both legitimate Internet applications and cyber at-
tacks. For example, botnets rely on DNS to support agile com-
mand and control infrastructures. An effective way to disrupt
these attacks is to place malicious domains on a “blocklist”
(or “blacklist”) or to add a filtering rule in a firewall or net-
work intrusion detection system. To evade such security coun-
termeasures, attackers have used DNS agility, e.g., by using
new domains daily to evade static blacklists and firewalls. In
this paper we propose Notos, a dynamic reputation system for
DNS. The premise of this system is that malicious, agile use
of DNS has unique characteristics and can be distinguished
from legitimate, professionally provisioned DNS services. No-
tos uses passive DNS query data and analyzes the network
and zone features of domains. It builds models of known legit-
imate domains and malicious domains, and uses these models
to compute a reputation score for a new domain indicative of
whether the domain is malicious or legitimate. We have eval-
uated Notos in a large ISP’s network with DNS traffic from
1.4 million users. Our results show that Notos can identify
malicious domains with high accuracy (true positive rate of
96.8%) and low false positive rate (0.38%), and can identify
these domains weeks or even months before they appear in
public blacklists.
|