Using DNS Patterns for Automated Cyber Threat Attribution

Cristoffer Leite, Jerry Den Hartog, Daniel Ricardo Dos Santos

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

4 Downloads (Pure)

Abstract

Linking attacks to the actors responsible is a critical part of threat analysis. Threat attribution, however, is challenging. Attackers try to avoid detection and avert attention to mislead investigations. The trend of attackers using malicious services provided by third parties also makes it difficult to discern between attackers and providers. Besides that, having a security team doing manual-only analysis might overwhelm analysts. As a result, the effective use of any trustworthy information for attribution is paramount, and automating this process is valuable. For this purpose, we propose an approach to perform automated attribution with a source of reliable information currently underutilised, the DNS patterns used by attackers. Our method creates recommendations based on similar patterns observed between a new incident and already attributed attacks and then generates a list of the most similar attacks. We show that our approach can, at ten recommendations, achieve 0.8438 precision and 0.7378 accuracy. We also show that DNS patterns have a short lifespan, allowing their utility even in more recent knowledge bases.

Original languageEnglish
Title of host publicationARES '24
Subtitle of host publicationProceedings of the 19th International Conference on Availability, Reliability and Security
Place of PublicationNew York
PublisherAssociation for Computing Machinery, Inc
Number of pages11
ISBN (Electronic)979-8-4007-1718-5
DOIs
Publication statusPublished - 30 Jul 2024
Event19th International Conference on Availability, Reliability and Security, ARES 2024 - Vienna, Austria
Duration: 30 Jul 20242 Aug 2024

Conference

Conference19th International Conference on Availability, Reliability and Security, ARES 2024
Country/TerritoryAustria
CityVienna
Period30/07/242/08/24

Fingerprint

Dive into the research topics of 'Using DNS Patterns for Automated Cyber Threat Attribution'. Together they form a unique fingerprint.

Cite this