A Detection Method Against DNS Cache Poisoning Attacks Using Machine Learning Techniques: Work in Progress
Title | A Detection Method Against DNS Cache Poisoning Attacks Using Machine Learning Techniques: Work in Progress |
Publication Type | Conference Paper |
Year of Publication | 2019 |
Authors | Jin, Y., Tomoishi, M., Matsuura, S. |
Conference Name | 2019 IEEE 18th International Symposium on Network Computing and Applications (NCA) |
Date Published | Sept. 2019 |
Publisher | IEEE |
ISBN Number | 978-1-7281-2522-0 |
Keywords | AI Poisoning, authoritative DNS server, cache poisoning attack, cache storage, cached DNS data, compromised authoritative DNS servers, Computer crime, computer network security, Databases, detection method, DNS, DNS based domain name resolution, DNS cache poisoning attacks, DNS cache servers, DNS packet, DNS response packets, DNS security extensions, feature extraction, GeoIP related features, Human Behavior, Internet, IP networks, Kaminsky attack, learning (artificial intelligence), machine learning, machine learning techniques, pubcrawl, resilience, Resiliency, Scalability, security of data, Servers, standard DNS protocols, time related features, Training |
Abstract | DNS based domain name resolution has been known as one of the most fundamental Internet services. In the meanwhile, DNS cache poisoning attacks also have become a critical threat in the cyber world. In addition to Kaminsky attacks, the falsified data from the compromised authoritative DNS servers also have become the threats nowadays. Several solutions have been proposed in order to prevent DNS cache poisoning attacks in the literature for the former case such as DNSSEC (DNS Security Extensions), however no effective solutions have been proposed for the later case. Moreover, due to the performance issue and significant workload increase on DNS cache servers, DNSSEC has not been deployed widely yet. In this work, we propose an advanced detection method against DNS cache poisoning attacks using machine learning techniques. In the proposed method, in addition to the basic 5-tuple information of a DNS packet, we intend to add a lot of special features extracted based on the standard DNS protocols as well as the heuristic aspects such as "time related features", "GeoIP related features" and "trigger of cached DNS data", etc., in order to identify the DNS response packets used for cache poisoning attacks especially those from compromised authoritative DNS servers. In this paper, as a work in progress, we describe the basic idea and concept of our proposed method as well as the intended network topology of the experimental environment while the prototype implementation, training data preparation and model creation as well as the evaluations will belong to the future work. |
URL | https://ieeexplore.ieee.org/document/8935025 |
DOI | 10.1109/NCA.2019.8935025 |
Citation Key | jin_detection_2019 |
- pubcrawl
- GeoIP related features
- Human behavior
- internet
- IP networks
- Kaminsky attack
- learning (artificial intelligence)
- machine learning
- machine learning techniques
- feature extraction
- resilience
- Resiliency
- Scalability
- security of data
- Servers
- standard DNS protocols
- time related features
- Training
- detection method
- authoritative DNS server
- cache poisoning attack
- cache storage
- cached DNS data
- compromised authoritative DNS servers
- Computer crime
- computer network security
- Databases
- AI Poisoning
- DNS
- DNS based domain name resolution
- DNS cache poisoning attacks
- DNS cache servers
- DNS packet
- DNS response packets
- DNS security extensions