85. Identifying Malicious Entities through Massive Graph Analysis of DNS Resolution Patterns
Authors: Trevor J. Goodyear (Georgia Institute of Technology)Evan B. Stuart (Georgia Institute of Technology)Michael S. Fields (Georgia Institute of Technology)Eric R. Hein (Georgia Institute of Technology)Mark Wisneski (Georgia Institute of Technology)
Abstract: In this work, we apply graph metrics to an Active DNS dataset, provided by the Georgia Tech Astrolavos Lab, to characterize and identify malicious actors within the DNS infrastructure of the Internet. Active DNS uses a set of data sources - including TLD Zone Files, public blacklists, and many others - to gather approximately 250 million DNS records per day. We use A records from this dataset to form a graph. From this graph we compute various metrics for each vertex using the following algorithms: PageRank, betweenness centrality, k-core decomposition, and in- and out-degree. Using Random Forest, we identify malicious nodes within Active DNS. This work uses the high-performance streaming graph analysis platform, STINGER for rapid generation of graph-based features for hundreds of millions of data domain names and IP addresses.
Two-page extended abstract: pdf