Using DNS Patterns for Automated Cyber Threat Attribution

Cristoffer Leite, Jerry Den Hartog, Daniel Ricardo Dos Santos

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

6 Downloads (Pure)

Samenvatting

Linking attacks to the actors responsible is a critical part of threat analysis. Threat attribution, however, is challenging. Attackers try to avoid detection and avert attention to mislead investigations. The trend of attackers using malicious services provided by third parties also makes it difficult to discern between attackers and providers. Besides that, having a security team doing manual-only analysis might overwhelm analysts. As a result, the effective use of any trustworthy information for attribution is paramount, and automating this process is valuable. For this purpose, we propose an approach to perform automated attribution with a source of reliable information currently underutilised, the DNS patterns used by attackers. Our method creates recommendations based on similar patterns observed between a new incident and already attributed attacks and then generates a list of the most similar attacks. We show that our approach can, at ten recommendations, achieve 0.8438 precision and 0.7378 accuracy. We also show that DNS patterns have a short lifespan, allowing their utility even in more recent knowledge bases.

Originele taal-2Engels
TitelARES '24
SubtitelProceedings of the 19th International Conference on Availability, Reliability and Security
Plaats van productieNew York
UitgeverijAssociation for Computing Machinery, Inc
Aantal pagina's11
ISBN van elektronische versie979-8-4007-1718-5
DOI's
StatusGepubliceerd - 30 jul. 2024
Evenement19th International Conference on Availability, Reliability and Security, ARES 2024 - Vienna, Oostenrijk
Duur: 30 jul. 20242 aug. 2024

Congres

Congres19th International Conference on Availability, Reliability and Security, ARES 2024
Land/RegioOostenrijk
StadVienna
Periode30/07/242/08/24

Vingerafdruk

Duik in de onderzoeksthema's van 'Using DNS Patterns for Automated Cyber Threat Attribution'. Samen vormen ze een unieke vingerafdruk.

Citeer dit