Last month, in this post, we announced an upcoming service called EXPOSURE which detects domain names that are involved in malicious activities. We perform passive DNS analysis. After a period of testing, finally, we started the beta version of the service. EXPOSURE has been running and reporting potentially malicious domains it detects at exposure.iseclab.org since the 22nd of December, 2010.
Before explaining how the information on the Exposure website could be used and interpreted by security experts and organizations to identify malware infected machines, I would like to give some technical details about EXPOSURE. As we have stated in our recent work, EXPOSURE employs a set of features that are extracted from DNS records to learn the malicious DNS behavior. To be able to build accurate rules from what is learnt, one requires sufficiently large volumes of data for the training. In the current version of EXPOSURE, we operate the data feeds that are provided by SIE@ISC that shares with us real time response data. The SIE collects the DNS traffic that is received by many recursive DNS servers located in North America and in Europe. Therefore the SIE sensors, which aggregate the DNS traffic, receive large volumes of data. In fact, EXPOSURE processes approximately 2 billion DNS queries a day on average.
Once the system is trained with the known malicious domains, it starts to identify on a daily basis a wide category of malicious domains (that are unknown to it) such as botnet command and control servers, phishing sites, and scam hosts. EXPOSURE works as a sliding-window system: At the end of every day, after the detection process is finished, the analysis window is shifted one day, and the detected domains are reported on the Exposure website.
The most significant contribution of EXPOSURE is the collection of features that are extracted from time series analysis. Using these features, we are able to detect short-lived malicious domains that are defined to be domains that are used for only a short period of time. Domain names that are generated with a domain generation algorithm are good examples for such domains.
By performing time-series analysis, it is also possible to detect malicious domains that exhibit abnormal abrupt changes at the request count of the DNS queries they receive. The experiments of our paper show that malicious domains have more irregular time-series behavior compared to benign ones. Also the graphics of many malicious domains shown on the website support this thesis.
We believe that EXPOSURE is a useful system that can help security experts and organizations in their fight against cyber-crime. For each malicious domain reported on our website, we sketch its time-series graphics and produce the list of IP addresses that are mapped to it. Moreover, we link the IP address list table with FIRE to see whether the AS of the IP is already known for hosting/sourcing malicious activities.
In the next posts, I will give details about some malicious domains that were detected by EXPOSURE.
Thanks for your interest,