Computer Science

Computer Science ›› 2020, Vol. 47 ›› Issue (11A): 396-401.doi: 10.11896/jsjkx.200100060

• Information Security • Previous Articles     Next Articles

Analysis of Kaminsky Attack and Its Abnormal Behavior

CHEN Xi, FENG Mei, JIANG Bo   

  1. Institute of Computing Technology of Research Institute of Petroleum Exploration and Development,Beijing 100083,China
  • Online:2020-11-15 Published:2020-11-17
  • About author:CHEN Xi,born in 1994,postgraduate.Her main research interests include network security,anomaly detection and behavior analysis.

PDF (PC)

1138

Abstract: Kaminsky attack is a kind of remote DNS poisoning attack.Since the attack is successful,requests for resolving the name of second-level domain are directed to a fake authoritative domain name server.This article proposes a novel method for detecting abnormal behaviors against Kaminsky attack s based on attack signatures.First,features such as time,IP,DNS Flags,and DNS Transaction ID in DNS packets are extracted.Then sliding window its applied to deduplicate the Transaction ID and calculate the conditional entropy of Transaction ID under the condition of the same IP address.Finally,improved CUSUM algorithm is applied to analyze time series of the conditional entropy to detect attack time.In addition,with data within the detected attack time,the conditional entropy could be traced back to the IP addresses of the poisoning target named the authoritative domain name server.The analysis sample consists of attack traffic and normal traffic.With different parameters of the attack code,simulations verify that this method not only has a small time complexity,but also has a low false positive rate,a low false negative rate,and a high detection rate.It is an effective means of detection and analysis.

Key words: Behavior analysis, Conditional entropy, CUSUM algorithm, Domain Name System, Kaminsky attack, Retrospect

CLC Number: 

  • TP393
[1] JIN C,HAO Z Y,WU Z G.Principle and Defense Strategy of DNS Cache Poisoning Attack [J].China Communications,2009,6(4):17-22,75-81.
[2] LARSEN M,GONT F.Transport Protocol Port Randomization Recommendations:RFC 6056[S].2010.
[3] DAGON D,ANTONAKAKIS M,VIXIE P.Increased DNS Forgery Resistance Through 0x20-Bit Encoding[C]//Proceedings of ACM CCS'08.ACM Press,2008.
[4] JU Y W,SONG K H,LEE E J,et al.Cache Poisoning Detection Method for Improving Security of Recursive DNS[C]//The 9th International Conference on Advanced Communication Techno-logy.Okamoto,Kobe,2007:1961-1965.
[5] MUSASHI Y,KUMAGAI M,KUBOTA S,et al.Detection of Kaminsky DNS Cache Poisoning Attack[C]//2011 4th International Conference on Intelligent Networks and Intelligent Systems.Kunming,2011:121-124.
[6] JIN Y,TOMOISHI M,MATSUURA S.A Detection MethodAgainst DNS Cache Poisoning Attacks Using Machine Learning Techniques:Work in Progress[C]//2019 IEEE 18th International Symposium on Network Computing and Applications (NCA).Cambridge,MA,USA,2019:1-3.
[7] WANG P J.Design and implementation of a private DNS-oriented attack detection and response system [D].Harbin:Harbin Institute of Technology,2018.
[8] Internet Governance Landscape Background Paper[EB/OL].(2010-08-11).http://www.intgovforum.org/cms/2010/Back ground/Chinese-IGF-Background-Paper.pdf.
[9] DU W L.Remote DNS Cache Poisoning Attack Lab[EB/OL].(2016-12-11).https://seedsecuritylabs.org/Labs_16.04/PDF/DNS_Remote.pdf.
[10] XU C X,HU R G,SHI F,et al.Research on defense strategy of cache poisoning in Kaminsky domain name system[J].ComputerEngineering,2013,39(1):12-17.
[11] ZHANG W X,WU W Z,LIANG J Y,et al.Rough Set Theory and Method [M].Beijing:Science Press,2001.
[12] KANDA Y,FONTUGNE R,FUKUDA K,et al.ADMIRE:Anomaly detection method using entropy-based PCA with three-step sketches[J].Computer Communications,2013,36(5):575-588.
[13] TELLENBACH B,BURKHART M,SCHATZMANN D,et al.Accurate network anomaly classification with generalized entropy metrics[J].Computer Networks,2011,55(15):3485-3502.
[14] LEE W,DONG X.Information-theoretic measures for anomaly detection[C]//Proc.of IEEE Symposium on Security and Privacy (S&P).Oakland:CA,2001.
[15] MANIKOPOULOS C,PAPAVASSILIOU S.Network intrusion and fault detection:a statistical anomaly approach[J].IEEE Communications Magazine,2002,40(10):76-82.
[16] LAKHINA A,CROVELLA M,DIOT C.Mining anomaliesusing traffic feature distributions[C]//Proc.of ACM SIGCOMM.Philadelphia:PA,2005.
[17] SHU Y Z,MEI M Y,HUANG W Q,et al.Research on DDoS Attack Detection Based on Conditional Entropy in SDN Environment [J].Wireless Internet Technology,2016(5):75-76.
[18] SUN Z X,LI Q D.DDoS Attack Prevention Strategies for Databases Based on Source and Destination IP Addresses [J].Journal of Software,2007(10):2613-2623.
[19] PETR E.An Analysis of the DNS Cache Poisoning Attack[EB/OL].(2009-11-02).http://labs.nic.cz/files/labs/ DNS-cache-poisoning-attack-analysis.pdf.
[20] WANG G.Research on Security of Domain Name System [D].Harbin:Harbin Institute of Technology,2007.
[1] MIAO Qi-guang, XIN Wen-tian, LIU Ru-yi, XIE Kun, WANG Quan, YANG Zong-kai. Graph Convolutional Skeleton-based Action Recognition Method for Intelligent Behavior Analysis [J]. Computer Science, 2022, 49(2): 156-161.
[2] HU Jian-wei,XU Ming-yang,CUI Yan-peng. Improved TLS Fingerprint Enhance User Behavior Security Analysis Ability [J]. Computer Science, 2020, 47(3): 287-291.
[3] CHEN Dan, WANG Xing, HE Peng and ZENG Cheng. Towards Understanding Existing Developers’ Collaborative Behavior in OSS Communities [J]. Computer Science, 2016, 43(Z6): 476-479.
[4] DONG Zhen-xing, ZHANG Qing and CHEN Long. Digital Forensic Investigation in Cloud Storage [J]. Computer Science, 2015, 42(Z11): 348-351.
[5] CHEN Qian, SHE Wei and YE Yang-dong. Method of Behavior Analysis for Complex System Based on Hierarchical Bayesian Petri Net with Time Factor [J]. Computer Science, 2015, 42(7): 62-67.
[6] HE Peng, LI Bing, YANG Xi-hui and XIONG Wei. Research on Developer Preferential Collaboration in Open-source Software Community [J]. Computer Science, 2015, 42(2): 161-166.
[7] LI Li-yao, SUN Lu-jing and YANG Jia-hai. Research on Online Social Network [J]. Computer Science, 2015, 42(11): 8-21.
[8] GUO Jun-xia,GAO Cheng,XU Nan-shan and LU Gang. User Behavior Analysis Based on Web Browsing Logs [J]. Computer Science, 2014, 41(3): 110-115.
[9] XU Jiu-cheng,ZHANG Ling-jun,SUN Lin and LI Shuang-qun. Reduction in Incomplete Hybrid Decision System Based on Generalized Neighborhood Relationship [J]. Computer Science, 2013, 40(4): 244-248.
[10] TENG Shu-hua,SUN Ji-xiang,ZHOU Shi-lin,LI Zhi-yong. Comparison with Attribute Reduction Algorithms in Information View [J]. Computer Science, 2011, 38(1): 259-263.
[11] LIU Wei,LIANG Ji-ye,WEI Wei,QIAN Yu-hua. Incremental Algorithm for Attribute Reduction Based on Conditional Entropy [J]. Computer Science, 2011, 38(1): 229-231.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.