Esc

DNS Traffic Analysis

Definition

Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.

Synonyms: Domain Name Analysis .

How it works

This technique can be accomplished in a number of ways.

One example analytic determines whether or not a domain name was generated with an algorithm. Domain generation algorithms (DGAs) are sometimes used to create a domain name automatically that will resolve to C2 infrastructure, without directly coding the domains in question into the malicious code.
Another method analyzes information about domains that have been visited, including whether a domain name is longer than a common length, if a dynamic DNS domain was visited, if a fast-flux domain was visited, and if a recently created domain was visited. These factors are used to develop a score and if that score is over a certain threshold, an alert is generated.
Collected malware samples can be executed in a virtual environment to identify network domains that are connected to during execution. The network domains are then generated into signatures to identity bad domains for other hosts.

This technique does not check for content hosted at the domain.

Considerations

DNS produces a large amount of traffic which can be resource-intensive to analyze in real time.
If a server is compromised, for example, as part of a watering hole attack, but the DNS information pointing to that server is not altered, this technique would not catch such an incident.

json

References

All

Patent

Academic Paper

The following references were used to develop the DNS Traffic Analysis knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Domain age registration alert

Reference Type: Patent Organization: Rapid7 Inc. Author: Samuel Adams; H D. Moore

Source: https://patents.google.com/patent/US20170026400A1/

Heuristic botnet detection

MITRE Comments

This patent describes detecting botnets using heuristic analysis techniques on collected network flows. The heuristic techniques include:

Identifying suspicious traffic patterns to detect command and control traffic ex. periodically visiting a known malware URL, a host visiting a malware domain twice every 5 hour and 14 minutes (this is a specific pattern for a variant of Swizzor botnets).
Identifying non-standard behaviors such as connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, communicating using HTTP header with a shorter than common length
Analyzing visited domain information to identify the following: visiting a domain with a domain name that is longer than a common domain name length, visiting a dynamic DNS domain, visiting a fast-flux domain, and visiting a recently created domain.

A score is determined based on these factors and if the score is over a threshold, a responsive action is performed.

Reference Type: Patent Organization: Palo Alto Networks Inc Author: Xinran Wang; Huagang Xie

Source: https://patents.google.com/patent/US20160156644A1

Method and system for detecting algorithm-generated domains

MITRE Comments

This patent describes detecting algorithm generated domains (AGD). DNS requests and responses are analyzed by first checking whether the domain matches existing data sets that specify different types of AGDs with known characteristics, such as Evil Twin Domains, Sinkholed domains, sleeper cells, ghost domains, parked domains, and/or bulk-registered domains. In addition to comparing domains against known data sets, the following information is collected to perform analysis:

IP Information: checks for information known about the IP addresses returned in the DNS response, including the number of IP addresses returned, the registered owners of the IP addresses, or different IP addresses returned for the same domain (IP fluxing)
Domain Registration: examines the domain registration date, domain update date, domain expiration date, registrant identity, and authorized name servers associated with a specific domain name.
Domain Popularity: provides information on the popularity of a domain name.

Based on analysis of these factors a score is developed; if the score is above a certain threshold, an alert is generated.

Reference Type: Patent Organization: VECTRA NETWORKS Inc Author: James Patrick HARLACHER; Aditya Sood; Oskar Ibatullin

Source: https://patents.google.com/patent/US20150264070A1

Predicting Domain Generation Algorithms with Long Short-Term Memory Networks

Reference Type: Academic Paper Author: Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, Daniel Grant

Source: https://arxiv.org/abs/1611.007911

Sinkholing bad network domains by registering the bad network domains on the internet

MITRE Comments

This patent describes a technique to identify bad domains that are associated with malware and sinkhole the bad domain. Bad domains are identified by receiving malware samples and executing the malware sample in a virtual execution environment to identify network domains that the malware sample attempts to connect to during execution. Network domains that are identified during malware execution are then generated into signatures to identity bad domains for other hosts. Once identified, the bad domains are sinkholed by translating the domain to a valid IP address that is associated with a device controlled by a cloud security provider.

Reference Type: Patent Organization: Palo Alto Networks Inc Author: Huagang Xie; Wei Xu; Nir Zuk

Source: https://patents.google.com/patent/US20160381065A1

D3FEND^™

A knowledge graph of cybersecurity countermeasures