Detecting Malicious Activity by Anomalous DNS Use
The Domain Name System (DNS) converts a qualified domain name, e.g. typed into a browser as an alphanumeric URL by a user, to a numeric IP address. Computer worms typically use random scanning, i.e. use numeric IP addresses directly, rather than qualified domain names of systems, and thus bypass the requirement of DNS queries. New network connections that cannot be associated with earlier DNS activity may be considered anomalous (with some degree of error). Preliminary work[1] has involved building an initial toolset to determine the practical utility of this observation for detection of random scanning worms - the most common means of computer worm propagation on the Internet today. It involves the observation and correlation of all locally generated DNS activity to detect local-to-local inter-cell (we partition a local network into cells) or local-to-remote worm propagation. The approach appears promising - regardless of the scanning rate, allowing scanning worm propagation to be detected in a single scanning attempt. However to enhance practical deployment, further work is required to simplify taking into account valid traffic which does not require DNS queries.
We will explore the extension of this idea to detect local-to-local intra-cell scanning worm propagation, i.e. a scanning worm on a local network propagating to another node on the same local network, within the same partitioned cell (cf. above). The approach we plan to follow is as follows. Similar to DNS resolving qualified domain names to numeric IP addresses, the Address Resolution Protocol (ARP) is used by IPv4 over Ethernet to resolve IP network addresses to hardware addresses at the data link layer. We plan to detect anomalous ARP activity in a manner analogous to detecting anomalous DNS activity (as outlined above). In this case, standard statistical measures (e.g. mean, standard deviation, etc.) will be taken on several to-be-determined parameters which we find characterize "normal" ARP traffic, as a reference against which to test subsequent ARP traffic for anomalous behavior.
Longer term, we would also like to explore the use of a similar approach to detect additional classes of malicious activity.
1. D. Whyte, E. Kranakis, P.C. van Oorschot, DNS-based Detection of Scanning Worms in an Enterprise Network, Network and Distributed System Security (NDSS'05, to appear), Feb. 2005, San Diego. Draft report: Carleton Univ., C.S. Tech. Report TR-04-06 (24 Aug. 2004). pdf