DNS Traffic Analysis
Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.Synonyms: Domain Name Analysis .
How it works
This technique can be accomplished in a number of ways.
- One example analytic determines whether or not a domain name was generated with an algorithm. Domain generation algorithms (DGAs) are sometimes used to create a domain name automatically that will resolve to C2 infrastructure, without directly coding the domains in question into the malicious code.
- Another method analyzes information about domains that have been visited, including whether a domain name is longer than a common length, if a dynamic DNS domain was visited, if a fast-flux domain was visited, and if a recently created domain was visited. These factors are used to develop a score and if that score is over a certain threshold, an alert is generated.
- Collected malware samples can be executed in a virtual environment to identify network domains that are connected to during execution. The network domains are then generated into signatures to identity bad domains for other hosts.
This technique does not check for content hosted at the domain.
- DNS produces a large amount of traffic which can be resource-intensive to analyze in real time.
- If a server is compromised, for example, as part of a watering hole attack, but the DNS information pointing to that server is not altered, this technique would not catch such an incident.
The following references were used to develop the DNS Traffic Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Domain age registration alert
Heuristic botnet detection
This patent describes detecting botnets using heuristic analysis techniques on collected network flows. The heuristic techniques include:
- Identifying suspicious traffic patterns to detect command and control traffic ex. periodically visiting a known malware URL, a host visiting a malware domain twice every 5 hour and 14 minutes (this is a specific pattern for a variant of Swizzor botnets).
- Identifying non-standard behaviors such as connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, communicating using HTTP header with a shorter than common length
- Analyzing visited domain information to identify the following: visiting a domain with a domain name that is longer than a common domain name length, visiting a dynamic DNS domain, visiting a fast-flux domain, and visiting a recently created domain.
A score is determined based on these factors and if the score is over a threshold, a responsive action is performed.
Method and system for detecting algorithm-generated domains
This patent describes detecting algorithm generated domains (AGD). DNS requests and responses are analyzed by first checking whether the domain matches existing data sets that specify different types of AGDs with known characteristics, such as Evil Twin Domains, Sinkholed domains, sleeper cells, ghost domains, parked domains, and/or bulk-registered domains. In addition to comparing domains against known data sets, the following information is collected to perform analysis:
- IP Information: checks for information known about the IP addresses returned in the DNS response, including the number of IP addresses returned, the registered owners of the IP addresses, or different IP addresses returned for the same domain (IP fluxing)
- Domain Registration: examines the domain registration date, domain update date, domain expiration date, registrant identity, and authorized name servers associated with a specific domain name.
- Domain Popularity: provides information on the popularity of a domain name.
Based on analysis of these factors a score is developed; if the score is above a certain threshold, an alert is generated.
Predicting Domain Generation Algorithms with Long Short-Term Memory Networks
Sinkholing bad network domains by registering the bad network domains on the internet
This patent describes a technique to identify bad domains that are associated with malware and sinkhole the bad domain. Bad domains are identified by receiving malware samples and executing the malware sample in a virtual execution environment to identify network domains that the malware sample attempts to connect to during execution. Network domains that are identified during malware execution are then generated into signatures to identity bad domains for other hosts. Once identified, the bad domains are sinkholed by translating the domain to a valid IP address that is associated with a device controlled by a cloud security provider.