Reachability Analysis of the Domain Name System
- URL: http://arxiv.org/abs/2411.10188v2
- Date: Wed, 20 Nov 2024 08:27:16 GMT
- Title: Reachability Analysis of the Domain Name System
- Authors: Dhruv Nevatia, Si Liu, David Basin,
- Abstract summary: DNS poses unique challenges for ensuring its security and reliability.
We provide the first decision procedure for the DNS verification problem, establishing its complexity as $mathsf2ExpTime$.
We model two of the most prominent attack vectors on DNS, namely amplification attacks and rewrite blackholing.
- Score: 6.505115615627764
- License: http://creativecommons.org/licenses/by-sa/4.0/
- Abstract: The high complexity of DNS poses unique challenges for ensuring its security and reliability. Despite continuous advances in DNS testing, monitoring, and verification, protocol-level defects still give rise to numerous bugs and attacks. In this paper, we provide the first decision procedure for the DNS verification problem, establishing its complexity as $\mathsf{2ExpTime}$, which was previously unknown. We begin by formalizing the semantics of DNS as a system of recursive communicating processes extended with timers and an infinite message alphabet. We provide an algebraic abstraction of the alphabet with finitely many equivalence classes, using the subclass of semigroups that recognize positive prefix-testable languages. We then introduce a novel generalization of bisimulation for labelled transition systems, weaker than strong bisimulation, to show that our abstraction is sound and complete. Finally, using this abstraction, we reduce the DNS verification problem to the verification problem for pushdown systems. To show the expressiveness of our framework, we model two of the most prominent attack vectors on DNS, namely amplification attacks and rewrite blackholing.
Related papers
- Failing Forward: Improving Generative Error Correction for ASR with Synthetic Data and Retrieval Augmentation [73.9145653659403]
We show that Generative Error Correction models struggle to generalize beyond the specific types of errors encountered during training.
We propose DARAG, a novel approach designed to improve GEC for ASR in in-domain (ID) and OOD scenarios.
Our approach is simple, scalable, and both domain- and language-agnostic.
arXiv Detail & Related papers (2024-10-17T04:00:29Z) - MTDNS: Moving Target Defense for Resilient DNS Infrastructure [2.8721132391618256]
DNS (Domain Name System) is one of the most critical components of the Internet.
Researchers have been constantly developing methods to detect and defend against the attacks against DNS.
Most solutions discard packets for defensive approaches, which can cause legitimate packets to be dropped.
We propose MTDNS, a resilient MTD-based approach that employs Moving Target Defense techniques.
arXiv Detail & Related papers (2024-10-03T06:47:16Z) - Multi-Task DNS Security Analysis via High-Order Heterogeneous Graph Embedding [2.1842847029116443]
I propose a novel joint DNS embedding model to formulate the DNS query behavior via a similarity-enhanced graph with heterogeneous entities.
Experiments on real DNS traffic demonstrate that the joint optimization of multiple tasks with the latent high-order proximities can lead to better security analysis performance for all the tasks.
arXiv Detail & Related papers (2024-01-15T01:18:57Z) - TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain [8.38094558878305]
Domain Name System (DNS) is vulnerable to some malicious attacks, including DNS cache poisoning.
This paper presents TI-DNS, a blockchain-based DNS resolution architecture designed to detect and correct the forged DNS records.
TI-DNS is easy to be adopted as it only requires modifications to the resolver side of current DNS infrastructure.
arXiv Detail & Related papers (2023-12-07T08:03:10Z) - ResolverFuzz: Automated Discovery of DNS Resolver Vulnerabilities with
Query-Response Fuzzing [22.15711226930362]
Domain Name System (DNS) resolvers are the central piece of the DNS infrastructure.
Finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools.
In this paper, we present a new fuzzing system termed ResolverFuzz to address the challenges related to DNS resolvers.
arXiv Detail & Related papers (2023-10-04T23:17:32Z) - AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models [54.95912006700379]
We introduce AutoDAN, a novel jailbreak attack against aligned Large Language Models.
AutoDAN can automatically generate stealthy jailbreak prompts by the carefully designed hierarchical genetic algorithm.
arXiv Detail & Related papers (2023-10-03T19:44:37Z) - Improving the Robustness of Summarization Systems with Dual Augmentation [68.53139002203118]
A robust summarization system should be able to capture the gist of the document, regardless of the specific word choices or noise in the input.
We first explore the summarization models' robustness against perturbations including word-level synonym substitution and noise.
We propose a SummAttacker, which is an efficient approach to generating adversarial samples based on language models.
arXiv Detail & Related papers (2023-06-01T19:04:17Z) - Explaining Machine Learning DGA Detectors from DNS Traffic Data [11.049278217301048]
This work addresses the problem of Explainable ML in the context of botnet and DGA detection.
It is the first to concretely break down the decisions of ML classifiers when devised for botnet/DGA detection.
arXiv Detail & Related papers (2022-08-10T11:34:26Z) - Optimized Random Forest Model for Botnet Detection Based on DNS Queries [8.641714871787595]
Domain Name System (DNS) protocol has several security vulnerabilities.
One promising solution to detect DNS-based botnet attacks is adopting machine learning (ML) based solutions.
This paper proposes a novel optimized ML-based framework to detect botnets based on their corresponding DNS queries.
arXiv Detail & Related papers (2020-12-16T16:34:11Z) - Cross-Domain Generalization Through Memorization: A Study of Nearest
Neighbors in Neural Duplicate Question Detection [72.01292864036087]
Duplicate question detection (DQD) is important to increase efficiency of community and automatic question answering systems.
We leverage neural representations and study nearest neighbors for cross-domain generalization in DQD.
We observe robust performance of this method in different cross-domain scenarios of StackExchange, Spring and Quora datasets.
arXiv Detail & Related papers (2020-11-22T19:19:33Z) - Global Optimization of Objective Functions Represented by ReLU Networks [77.55969359556032]
Neural networks can learn complex, non- adversarial functions, and it is challenging to guarantee their correct behavior in safety-critical contexts.
Many approaches exist to find failures in networks (e.g., adversarial examples), but these cannot guarantee the absence of failures.
We propose an approach that integrates the optimization process into the verification procedure, achieving better performance than the naive approach.
arXiv Detail & Related papers (2020-10-07T08:19:48Z) - Attentive WaveBlock: Complementarity-enhanced Mutual Networks for
Unsupervised Domain Adaptation in Person Re-identification and Beyond [97.25179345878443]
This paper proposes a novel light-weight module, the Attentive WaveBlock (AWB)
AWB can be integrated into the dual networks of mutual learning to enhance the complementarity and further depress noise in the pseudo-labels.
Experiments demonstrate that the proposed method achieves state-of-the-art performance with significant improvements on multiple UDA person re-identification tasks.
arXiv Detail & Related papers (2020-06-11T15:40:40Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.