Distributed Identifier-Locator Mapping Management in Mobile ILNP Networks

In the Identifier Locator Network Protocol (ILNP) networks, the existing mobility control schemes based on the centralized entity, called the Dynamic Domain Name Service (DDNS) server, such that all the control traffic is processed at the DDNS server. However, the centralized mobility schemes have significant limitations, such as control traffic overhead at the server and large handover delay. In order to resolve these issues, we propose a new mobility control scheme for ILNP networks, which manages the identifier-locators (ID-LOCs) in the fully distributed manner. In our scheme, each domain has a dedicated mobile DDNS (m-DDNS) server at the site border router (SBR). The m-DDNS server maintains two databases; i.e., home host register (HHR) and visiting host register (VHR), to support the roaming of mobile hosts. When a mobile host roams into a domain, the m-DDNS server in the visiting domain registers the host’s ID-LOC in the VHR and requests the update of HHR to the m-DDNS server in the home domain. Since the m-DDNS servers communicate each other directly, the ID-LOC mappings are managed without involvement of any central entities. We analyzed our proposed mobility scheme via numerical analysis and compared its performance with those of existing schemes. Numerical results showed that our scheme outperforms the existing mobility control schemes substantially in terms of control traffic overhead at the servers, total transmission delay and handover delay.

A Multi-Stage Detection Technique for DNS-Tunneled Botnets

Botnet communications are obfuscated within legitimate network protocols to avoid detection and remediation. Domain Name Service (DNS) is a protocol of choice to hide communication with Command & Control (C&C) servers, where botmasters tunnel these communications within DNS request and response. Since botnet communications are characterized by different features, botmasters may evade detection methods by modifying some of these features. This paper proposes a multi-staged detection approach for Domain Generation Algorithm (DGA) using domain fluxing, Fast Flux Service Network (FFSN), and encrypted DNS tunneled-based botnets using BRO Network Security Monitor. This approach is able to detect DNS-tunneled botnet communications by analyzing different techniques used to find C&C servers, and also using signature matching technique to detect DNS-tunneled SSH handshake between bots and C&C servers.

Internet of Things with Lightweight Identities Implemented Using DNS DANE—Architecture Proposal

Domain Name Service (DNS) and its certification related resource records are appealing alternative to the standard X.509 certification framework, in provision of identities for Internet of Things (IoT) smart devices. We propose to also use DNS to store device owner identification data in device certificates. A working demonstration software has been developed as proof of this concept, which uses an external identity provider run by national authorities. As a result, smart devices are equipped with certificates that safely identify both the device and its owner. Hardware requirements make such a framework applicable to constrained devices. It stimulates mutual trust in machine-to-machine and man-to-machine communication, and creation of a friendlier environment for sale, lease, and data exchange. Further extensions of the proposed architecture are also discussed.

Detecting malware based on expired command-and-control traffic

In this article, we analyze the behavioral characteristics of domain name service queries produced by programs and then design an algorithm to detect malware with expired command-and-control domains based on the key feature of domain name service traffic, that is, repeatedly querying domain with a fixed interval. In total, 3027 malware command-and-control domains in the network traffic of Shanghai Jiao Tong University, affecting 249 hosts, were successfully detected, with a high precision of 92.0%. This algorithm can find those malware with expired command-and-control domains that are usually ignored by current research and would have important value for eliminating network security risks and improving network security environment.