Enriching DNS Flows with Host-Based Events to Bypass Future Protocol Encryption

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14610%2F21%3A00121835" target="_blank" >RIV/00216224:14610/21:00121835 - isvavai.cz</a>

Výsledek na webu

<a href="https://doi.org/10.1007/978-3-030-78120-0_20" target="_blank" >https://doi.org/10.1007/978-3-030-78120-0_20</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1007/978-3-030-78120-0_20" target="_blank" >10.1007/978-3-030-78120-0_20</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Enriching DNS Flows with Host-Based Events to Bypass Future Protocol Encryption

Popis výsledku v původním jazyce

Monitoring of host-based events and network flows are the two most common techniques for collecting and analyzing cybersecurity data. However, events and flows are either monitored separately or correlated as alerts in higher aggregated forms. The event-flow correlation on the monitoring level would match related events and flows together and enabled observing both data in near real-time. This approach allows substituting application-level flow information that will not be available due to encryption, which is being employed in a number of communication protocols. In this paper, we performed the event-flow correlation of the DNS protocol. We developed a general model that describes the relation between events and flows to enable an accurate time-based correlation where parameter-based correlation is not feasible. Based on the model, we designed three event-flow correlation methods based on common parameters and times of occurrence. We evaluated the correlation methods using a recent and public dataset, both with and without the extended flow information, to simulate DNS flow encryption. The results of the method combining parameter-based and time-based matching show that matching related DNS events to flows is possible and substitutes the data that might soon be lost in encryption.

Název v anglickém jazyce

Enriching DNS Flows with Host-Based Events to Bypass Future Protocol Encryption

Popis výsledku anglicky

Monitoring of host-based events and network flows are the two most common techniques for collecting and analyzing cybersecurity data. However, events and flows are either monitored separately or correlated as alerts in higher aggregated forms. The event-flow correlation on the monitoring level would match related events and flows together and enabled observing both data in near real-time. This approach allows substituting application-level flow information that will not be available due to encryption, which is being employed in a number of communication protocols. In this paper, we performed the event-flow correlation of the DNS protocol. We developed a general model that describes the relation between events and flows to enable an accurate time-based correlation where parameter-based correlation is not feasible. Based on the model, we designed three event-flow correlation methods based on common parameters and times of occurrence. We evaluated the correlation methods using a recent and public dataset, both with and without the extended flow information, to simulate DNS flow encryption. The results of the method combining parameter-based and time-based matching show that matching related DNS events to flows is possible and substitutes the data that might soon be lost in encryption.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10200 - Computer and information sciences

Projekt

—

Návaznosti

S - Specificky vyzkum na vysokych skolach

Rok uplatnění

2021

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

ICT Systems Security and Privacy Protection

ISBN

9783030781194

ISSN

1868-4238

e-ISSN

1868-422X

Počet stran výsledku

15

Strana od-do

302-316

Název nakladatele

Springer

Místo vydání

Oslo

Místo konání akce

Oslo

Datum konání akce

1. 1. 2021

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

—