Privacy-conscious threat intelligence using DNSBLoom

Roland van Rijswijk-Deij, Gijs Rijnders, Matthijs Bomhoff, Luca Allodi

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

Uittreksel

The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a wealth of information about what goes on in the network. Malicious activity - such as phishing, malware and botnets - also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team's toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe's GDPR, simply logging every DNS request is not acceptable.In this paper we present DNSBloom, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBloom aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBloom through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.

TaalEngels
Titel2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019
Plaats van productiePiscataway
UitgeverijInstitute of Electrical and Electronics Engineers
Pagina's98-106
Aantal pagina's9
ISBN van elektronische versie978-3-903176-15-7
StatusGepubliceerd - 16 mei 2019
Evenement2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 - Arlington, Verenigde Staten van Amerika
Duur: 8 apr 201912 apr 2019

Congres

Congres2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019
LandVerenigde Staten van Amerika
StadArlington
Periode8/04/1912/04/19

Vingerafdruk

Internet
Monitoring
Threat
Privacy
Botnet
Malware

Trefwoorden

    Citeer dit

    van Rijswijk-Deij, R., Rijnders, G., Bomhoff, M., & Allodi, L. (2019). Privacy-conscious threat intelligence using DNSBLoom. In 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 (blz. 98-106). [8717908] Piscataway: Institute of Electrical and Electronics Engineers.
    van Rijswijk-Deij, Roland ; Rijnders, Gijs ; Bomhoff, Matthijs ; Allodi, Luca. / Privacy-conscious threat intelligence using DNSBLoom. 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019. Piscataway : Institute of Electrical and Electronics Engineers, 2019. blz. 98-106
    @inproceedings{365326e66c2448a99c7faf36cee38dd3,
    title = "Privacy-conscious threat intelligence using DNSBLoom",
    abstract = "The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a wealth of information about what goes on in the network. Malicious activity - such as phishing, malware and botnets - also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team's toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe's GDPR, simply logging every DNS request is not acceptable.In this paper we present DNSBloom, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBloom aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBloom through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.",
    keywords = "DNS, GDPR, Indicator-of-compromise, Measurement, Privacy, Threat detection",
    author = "{van Rijswijk-Deij}, Roland and Gijs Rijnders and Matthijs Bomhoff and Luca Allodi",
    year = "2019",
    month = "5",
    day = "16",
    language = "English",
    pages = "98--106",
    booktitle = "2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019",
    publisher = "Institute of Electrical and Electronics Engineers",
    address = "United States",

    }

    van Rijswijk-Deij, R, Rijnders, G, Bomhoff, M & Allodi, L 2019, Privacy-conscious threat intelligence using DNSBLoom. in 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019., 8717908, Institute of Electrical and Electronics Engineers, Piscataway, blz. 98-106, Arlington, Verenigde Staten van Amerika, 8/04/19.

    Privacy-conscious threat intelligence using DNSBLoom. / van Rijswijk-Deij, Roland; Rijnders, Gijs; Bomhoff, Matthijs; Allodi, Luca.

    2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019. Piscataway : Institute of Electrical and Electronics Engineers, 2019. blz. 98-106 8717908.

    Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

    TY - GEN

    T1 - Privacy-conscious threat intelligence using DNSBLoom

    AU - van Rijswijk-Deij,Roland

    AU - Rijnders,Gijs

    AU - Bomhoff,Matthijs

    AU - Allodi,Luca

    PY - 2019/5/16

    Y1 - 2019/5/16

    N2 - The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a wealth of information about what goes on in the network. Malicious activity - such as phishing, malware and botnets - also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team's toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe's GDPR, simply logging every DNS request is not acceptable.In this paper we present DNSBloom, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBloom aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBloom through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.

    AB - The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a wealth of information about what goes on in the network. Malicious activity - such as phishing, malware and botnets - also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team's toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe's GDPR, simply logging every DNS request is not acceptable.In this paper we present DNSBloom, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBloom aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBloom through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.

    KW - DNS

    KW - GDPR

    KW - Indicator-of-compromise

    KW - Measurement

    KW - Privacy

    KW - Threat detection

    UR - http://www.scopus.com/inward/record.url?scp=85067047085&partnerID=8YFLogxK

    M3 - Conference contribution

    SP - 98

    EP - 106

    BT - 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019

    PB - Institute of Electrical and Electronics Engineers

    CY - Piscataway

    ER -

    van Rijswijk-Deij R, Rijnders G, Bomhoff M, Allodi L. Privacy-conscious threat intelligence using DNSBLoom. In 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019. Piscataway: Institute of Electrical and Electronics Engineers. 2019. blz. 98-106. 8717908.