Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers

Research Article

You Are How You Query: Deriving Behavioral Fingerprints from DNS Traffic

Download
834 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-28865-9_19,
        author={Dae Kim and Junjie Zhang},
        title={You Are How You Query: Deriving Behavioral Fingerprints from DNS Traffic},
        proceedings={Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2016},
        month={2},
        keywords={Domain Name System Behavioral fingerprints Privacy},
        doi={10.1007/978-3-319-28865-9_19}
    }
    
  • Dae Kim
    Junjie Zhang
    Year: 2016
    You Are How You Query: Deriving Behavioral Fingerprints from DNS Traffic
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-28865-9_19
Dae Kim1,*, Junjie Zhang1,*
  • 1: Wright State University
*Contact email: kim.107@wright.edu, junjie.zhang@wright.edu

Abstract

As the Domain Name System (DNS) plays an indispensable role in a large number of network applications including those used for malicious purposes, collecting and sharing DNS traffic from real networks are highly desired for a variety of purposes such as measurements and system evaluation. However, information leakage through the collected network traffic raises significant privacy concerns and DNS traffic is not an exception. In this paper, we study a new privacy risk introduced by passively collected DNS traffic. We intend to derive from DNS traces, where each behavioral fingerprint targets at uniquely identifying its corresponding user and being immune to the change of time. We have proposed a set of new patterns, which collectively form behavioral fingerprints by characterizing a user’s DNS activities through three different perspectives including the domain name, the inter-domain relationship, and domains’ temporal behavior. We have also built a distributed system, namely , to automatically derive DNS-based behavioral fingerprints from a massive amount of DNS traces. We have performed extensive evaluation based on a large volume of DNS queries collected from a large campus network across two weeks. The evaluation results have demonstrated that a significant percentage of network users with persistent DNS activities are likely to have DNS behavioral fingerprints.