Countering Malicious Processes with Process-DNS Association

Publication Date: 2/27/2019

Event: The 26th Annual Network and Distributed System Security Symposium (NDSS 2019)

Reference: pp. 1-15, 2019

Authors: Suphannee Sivakorn , Columbia University; Kangkook Jee, NEC Laboratories America, Inc.; Yixin Sun, Princeton University; Lauri Korts-Pärn, NEC Corporation of America; Cyber Defense Institute; Zhichun Li, NEC Laboratories America, Inc.; Cristian Lumezanu, NEC Laboratories America, Inc.; Lu-An Tang, NEC Laboratories America, Inc.; Ding Li , NEC Laboratories America, Inc.

Abstract: Modern malware and cyber attacks depend heavily on DNS services to make their campaigns reliable and difficult to track. Monitoring network DNS activities and blocking suspicious domains have been proven an effective technique in countering such attacks. However, recent successful campaigns reveal that at- tackers adapt by using seemingly benign domains and public web storage services to hide malicious activity. Also, the recent support for encrypted DNS queries provides attacker easier means to hide malicious traffic from network-based DNS monitoring.We propose PDNS, an end-point DNS monitoring system based on DNS sensor deployed at each host in a network, along with a centralized backend analysis server. To detect such attacks, PDNS expands the monitored DNS activity context and examines process context which triggered that activity. Specifically, each deployed PDNS sensor matches domain name and the IP address related to the DNS query with process ID, binary signature, loaded DLLs, and code signing information of the program that initiated it. We evaluate PDNS on a DNS activity dataset collected from 126 enterprise hosts and with data from multiple malware sources. Using ML Classifiers including DNN, our results outperform most previous works with high detection accuracy: a true positive rate at 98.55% and a low false positive rate at 0.03%.

Publication Link: