Samenvatting
The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a wealth of information about what goes on in the network. Malicious activity - such as phishing, malware and botnets - also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team's toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe's GDPR, simply logging every DNS request is not acceptable.In this paper we present DNSBloom, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBloom aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBloom through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.
| Originele taal-2 | Engels |
|---|---|
| Titel | 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 |
| Plaats van productie | Piscataway |
| Uitgeverij | Institute of Electrical and Electronics Engineers |
| Pagina's | 98-106 |
| Aantal pagina's | 9 |
| ISBN van elektronische versie | 978-3-903176-15-7 |
| Status | Gepubliceerd - 16 mei 2019 |
| Evenement | 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 - Arlington, Verenigde Staten van Amerika Duur: 8 apr. 2019 → 12 apr. 2019 |
Congres
| Congres | 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 |
|---|---|
| Land/Regio | Verenigde Staten van Amerika |
| Stad | Arlington |
| Periode | 8/04/19 → 12/04/19 |
Financiering
To test our approach, we designed and implemented a prototype to meet the goals specified in the previous section. We called this prototype “DNSBLOOM”. The prototype is based on an open source application to collect DNS queries in a Bloom Filter, called “HONAS”. This application was initially internally developed at Tesorion4 as a means to gather telemetry on threats for malware research purposes in a privacy-friendly way. The application was converted to open source with funding from SURFnet5, the National Research and Education Network in the Netherlands [21]. DNSBLOOM is based on HONAS and extends it to make it ready for deployment in an ISP context. In the remainder of this section, we discuss the design and implementation of DNSBLOOM. This work was funded by SURF, the Netherlands collaborative organisation for ICT in higher education and research. We thank Wim Biemolt, Bart Geesink and Remco Poortinga -van Wijnen, from SURFnet, for their valuable feedback on our work. We also thank the anonymous reviewers for their feedback.
Vingerafdruk
Duik in de onderzoeksthema's van 'Privacy-conscious threat intelligence using DNSBLoom'. Samen vormen ze een unieke vingerafdruk.Citeer dit
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver