Enterprise Networks are growing in scale and complexity, with heterogeneous connected assets needing to be secured in different ways. Nevertheless, virtually all connected assets use the Domain Name System (DNS) for address resolution, and DNS has thus become a convenient vehicle for attackers to covertly perform Command and Control (C&C) communication, data theft, and service disruption across a wide range of assets. Enterprise security appliances that monitor network traffic typically allow all DNS traffic through as it is vital for accessing any web service; they may at best match against a database of known malicious patterns, and are therefore ineffective against zero-day attacks. This thesis focuses on three high-impact cyber-attacks that leverage DNS, specifically data exfiltration, malware C&C communication, and service disruption. Using big data (over 10B packets) of DNS network traffic collected from a University campus and a Government research organization over a 6-month period, we illustrate the anatomy of these attacks, train machines for automatically detecting such attacks, and evaluate their efficacy in the field.
翻译:企业网络的规模和复杂性正在扩大,需要以不同方式确保各种相互关联的资产的安全,然而,几乎所有连接的资产都使用域名系统解决地址问题,因此,域名系统已成为攻击者秘密进行指挥和控制通信、数据盗窃和各种资产服务中断的方便工具。 监测网络交通的企业安全设备一般允许所有域名通信通过网络,因为这对访问任何网络服务至关重要;它们最多可以与已知恶意模式数据库相对应,因此对零天攻击无效。该论文侧重于利用DNS的三种影响大的网络攻击,特别是数据过滤、恶意软件C&C通信和服务中断。使用从大学校园和政府研究组织收集的大数据(超过10B包),我们用6个月的时间来说明这些攻击的解剖情况,培训自动发现这类攻击的机器,并评估其在实地的功效。