access icon free Information fusion-based method for distributed domain name system cache poisoning attack detection and identification

In this study, the authors consider the detection and identification problems of distributed domain name system (DNS) cache poisoning attack. In the considered distributed attack, multiple cache servers are invaded simultaneously and the attack intensity for each cache server is slight. It is difficult to detect and identify the distributed attack by the existing local information-based detection methods, as the abnormal features for each cache server are indistinctive under distributed attack. To handle this problem, they propose an information fusion-based detection and identification methods. They find that the entropies of the query Internet protocol (IP) addresses for all cache servers are approximately stationary and statistically independent under normal cases. When distributed attack happens, they show the fact that the correlation of the entropies among all cache servers could increase dramatically. On the basis of this feature, they make use of principal component analysis to design the detection and identification methods. Specifically, attack is true when the maximum eigenvalue of the normalised entropies matrix exceeds a threshold, and the attacked servers are identified by the main loading vector. At last, they take a large-scale DNS in China and a simulation as two examples to show the effectiveness of their methods.

Inspec keywords: computer network security; Internet; principal component analysis; matrix algebra; sensor fusion; cache storage; eigenvalues and eigenfunctions

Other keywords: DNS; attack identification; information fusion-based detection method; multiple cache servers; information fusion-based identification method; query Internet protocol address; attack detection; principal component analysis; China; normalised entropies matrix; large-scale DNS; query IP address; distributed attack; cache poisoning; domain name system; eigenvalue

Subjects: Data security; Internet software; File organisation; Linear algebra (numerical analysis); Other computer networks; Other topics in statistics; Algebra

References

    1. 1)
      • 7. Hubert, A., van Mook, R.: ‘Measures for making DNS more resilient against forged answers’, RFC 5452, 2009.
    2. 2)
      • 8. CERT: ‘Multiple DNS implementations vulnerable to cache poisoning’. Technical Report Vulnerability Note, 800113, 2008.
    3. 3)
      • 15. Musashi, Y.: ‘Detection of Kaminsky DNS cache poisoning attack’. The Fourth Int. Conf. on Intelligent Networks and Intelligent Systems (ICINIS), 2011.
    4. 4)
      • 13. Herzberg, A., Shulman, H.: ‘Towards adoption of DNSSEC: availability and security challenges’. IEEE Conf. on Communications and Network Security, 2013.
    5. 5)
      • 14. Bau, J., Mitchell, J.C.: ‘A security evaluation of DNSSEC with NSEC3’. Network and Distributed Systems Security Symp., 2010.
    6. 6)
      • 1. Fetzer, C., Pfeifer, G., Jim, T.: ‘Enhancing DNS security using the SSL trust infrastructure’. The Tenth Int. Workshop on Object-Oriented Real-Time Dependable Systems, 2005, pp. 2127.
    7. 7)
      • 12. Herzberg, A., Shulman, H.: ‘Fragmentation considered poisonous’. IEEE Conf. on Communications and Network Security, 2013.
    8. 8)
    9. 9)
      • 17. Herzberg, A., Shulman, H.: ‘Unilateral antidotes to DNS poisoning’. The Seventh Int. ICST Conf., SecureComm, London, 2011.
    10. 10)
      • 11. Herzberg, A., Shulman, H.: ‘Security of patched DNS, lecture notes in computer science’ (Springer, 2012), pp. 271284.
    11. 11)
      • 6. Kaminsky, D.: ‘Its the end of the cache as we know it’. Black Hat Conf., 2008.
    12. 12)
      • 2. Afonso, J., Veiga, P.: ‘Enhancing DNS security using dynamic firewalling with network agents’. Federated Conf. on Computer Science and Information Systems, 2011, pp. 777782.
    13. 13)
      • 9. Dagon, D.: ‘Increased DNS forgery resistance through 0 × 20 bit encoding: security via leet queries’. ACM Conf. on Computer and Communications Security, 2008, pp. 211222.
    14. 14)
      • 10. Perdisci, R., Antonakakis, M., Day, K., Luo, X., Lee, W.: ‘WSEC DNS: protecting recursive DNS resolvers from poisoning attacks’. DSN, 2009, pp. 312.
    15. 15)
    16. 16)
    17. 17)
      • 16. Zdrnja, B., Brownlee, N., Wessels, D.: ‘Passive monitoring of DNS anomalies’. The Fourth Int. Conf., DIMVA 2007 Lucerne, Switzerland, 2007.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2014.0386
Loading

Related content

content/journals/10.1049/iet-ifs.2014.0386
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading