An agent-based framework for dynamical understanding of DNS events (DUDE)

An area of increasing importance in cyber-security is detecting instances of advanced persistent threat (APT). In contrast to the single-stage attacks common a decade ago, APTs consist of a sequence of interdependent steps, often involving multiple machines and different types of exploits over a period of time. This paper explores mechanisms for detecting traces of APTs in DNS logs. We first transform the logs into a graph, then deploy analysis agents on the graph. The graph structure offers two benefits: agents can interact by storing and retrieving information in the graph (thus supporting an open set of agents), and because their interactions are local, the computation can readily be distributed across multiple processors for scaling. We describe two kinds of agents: one to analyze the local structure of the graph, and one to convert time-domain records to frequency domain. Then we analyze how well they work against our test data, which consists of two months of real DNS address-resolution records from a large organization with sample attacks inserted in the second month.