Abstract
There exists a significant number of domains that have frequently switched their name servers for several reasons. In this work, we delved into the analysis of name-server switching behavior and presented a novel identifier called “NS-Switching Footprint” (NSSF) that can be used to cluster domains, enabling us to detect domains with suspicious behavior. We also designed a model that represents a time series, which could be used to predict the number of name servers that a domain will interact with. We performed the experiments with the dataset that captured all .com and .net zone changing transactions (i.e., adding or deleting name servers for domains) from March 28 to June 27, 2013.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Salchow, K.: Load balancing 101: Nuts and bolts. White Paper, F5 Networks Inc. (2007)
Nygren, E., Sitaraman, R.K., Sun, J.: The akamai network: a platform for high-performance internet applications. SIGOPS Oper. Syst. Rev. 44(3), 2–19 (2010)
Snoke, T.: Watching domains that changes dns servers frequently. CERT/CC Blog (2013)
He, Y., Zhong, Z., Krasser, S., Tang, Y.: Mining dns for malicious domain registrations. In: CollaborateCom (2010)
Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: LEET (2010)
Lardinois, F.: More than 250m domain names have now been registered, almost half are .com and .net, April 2013. http://tcrn.ch/1i3G0Fh
Shumway, R., Stofer, D.: Time Series Analysis and Its Applications. Springer, New York (2000)
Box, G., Jenkins, G.: Time Series Analysis: Forecasting and Control. Holden-Day, San Francisco (1970)
Alwan, L.C., Roberts, H.V.: Time-series modeling for statistical process control. J. Bus. Econ. Stat. 6, 87–95 (1988)
Porter, S.: Hudak: an application of the seasonal fractionally differenced model to the monetary aggregates. J. Am. Stat. Assoc. 85, 338–344 (1990)
Shumway, R., Stoffer, D.: Dynamic linear models with switching. J. Am. Stat. Assoc. 86(415), 763–769 (1991)
Chrysostome Bolot, J., Hoschka, P.: Performance engineering of the world wide web: application to dimensioning and cache design. Comput. Netw. 28, 1397–1405 (1996)
Mohaisen, A., Alrawi, O.: Amal: highfidelity, behavior-based automated malware analysis and classification. Technical report, Verisign Labs (2013)
Lin, D.: An information-theoretic definition of similarity. In: ICML (1998)
Miao, Y., Kešelj, V., Milios, E.: Document clustering using character n-grams: a comparative evaluation with term-based and word-based clustering. In: CIKM (2005)
Viinikka, J., Debar, H., Mé, L., Lehikoinen, A., Tarvainen, M.: Processing intrusion detection alert aggregates with time series modeling. Inf. Fusion 10, 312–324 (2009)
Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Technical report, BTH (2000)
Cabrera, J.B., Lewis, L., Qin, X., Lee, W., Prasanth, R.K., Ravichandran, B., Mehra, R.K.: Proactive detection of distributed denial of service attacks using mib traffic variables-a feasibility study. In: IEEE IM (2001)
Liu, H., Kim, M.S.: Real-time detection of stealthy ddos attacks using time-series decomposition. In: IEEE ICC (2010)
Mayrhofer, R., Gellersen, H.-W.: Shake well before use: authentication based on accelerometer data. In: LaMarca, A., Langheinrich, M., Truong, K.N. (eds.) Pervasive 2007. LNCS, vol. 4480, pp. 144–161. Springer, Heidelberg (2007)
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: IEEE Security and Privacy, pp. 305–316 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Mohaisen, A., Bhuiyan, M., Labrou, Y. (2015). Name Server Switching: Anomaly Signatures, Usage, Clustering, and Prediction. In: Rhee, KH., Yi, J. (eds) Information Security Applications. WISA 2014. Lecture Notes in Computer Science(), vol 8909. Springer, Cham. https://doi.org/10.1007/978-3-319-15087-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-15087-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15086-4
Online ISBN: 978-3-319-15087-1
eBook Packages: Computer ScienceComputer Science (R0)