Improving Long-term Accuracy of DNS Backscatter for Monitoring of Internet-Wide Malicious Activity (poster)

Improving Long-term Accuracy of DNS Backscatter for Monitoring of Internet-Wide Malicious Activity (poster)

Qadeer, Abdul and Heidemann, John and Fukuda, Kensuke
USC/Information Sciences Institute

Abdul Qadeer, John Heidemann and Kensuke Fukuda 2016. Improving Long-term Accuracy of DNS Backscatter for Monitoring of Internet-Wide Malicious Activity (poster). Technical Report ISI-TR-2016-707. USC/Information Sciences Institute.

Abstract

Internet-wide malicious activities are prevalent on the Internet. Such activities include the malicious, like spamming and scanning, and the benign, like large e-mailing lists and content delivery networks. We’ve previously shown that they can be detected centrally with DNS backscatter, and developed a classifier using supervised learning. However, long-term detection is difficult because activities rapidly change with time to evade detection or as they naturally evolve, and manual training is expensive. Our solution: we extend backscatter-based detection by identifying: how behavior evolves, how often we need to retrain, and how to retrain without human supervision. Details are in the attached poster.

Reference

@techreport{Qadeer16a,
  author = {Qadeer, Abdul and Heidemann, John and Fukuda, Kensuke},
  title = {Improving Long-term Accuracy of DNS
                    Backscatter for Monitoring of Internet-Wide Malicious Activity (poster)},
  institution = {USC/Information Sciences Institute},
  year = {2016},
  sortdate = {2016-04-29},
  project = {ant, lacrend, retrofuture},
  jsubject = {dns},
  number = {ISI-TR-2016-707},
  month = apr,
  location = {johnh: pafile},
  keywords = {network outage detection, hurricane sandy},
  url = {http://www.isi.edu/%7ejohnh/PAPERS/Qadeer16a.html},
  pdfurl = {http://www.isi.edu/%7ejohnh/PAPERS/Qadeer16a.pdf},
  dataseturl = {https://ant.isi.edu/datasets/dns_backscatter/index.html},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {authors}
}