Abstract
Reliable network demographics are quickly becoming a much sought-after digital commodity. However, as the need for more refined Internet demographics has grown, so too has the tension between privacy and utility. Unfortunately, current techniques lean too much in favor of functional requirements over protecting the privacy of users. For example, the most prominent proposals for measuring the relative popularity of a Web site depend on the deployment of client-side measurement agents that are generally perceived as infringing on users’ privacy, thereby limiting their wide-scale adoption. Moreover, the client-side nature of these techniques also makes them susceptible to various manipulation tactics that undermine the integrity of their results. In this article, we propose a new estimation technique that uses DNS cache probing to infer the density of clients accessing a given service. Compared to earlier techniques, our scheme is less invasive as it does not reveal user-specific traits, and is more robust against manipulation. We demonstrate the flexibility of our approach through two important security applications. First, we illustrate how our scheme can be used as a lightweight technique for measuring and verifying the relative popularity rank of different Web sites. Second, using data from several hundred botnets, we apply our technique to indirectly measure the infected population of this increasing Internet phenomenon.
- Anupam, V., Mayer, A., Nissim, K., Pinkas, B., and Reiter, M. K. 1999. On the security of pay-per-click and other Web advertising schemes. In Proceeding of the 8th International Conference on World Wide Web (WWW’99). Elsevier North-Holland, Inc., 1091--1100. Google Scholar
Digital Library
- Bailey, M., Cooke, E., Jahanian, F., Nazario, J., and Watson, D. 2005. Internet motion sensor: A distributed blackhole monitoring system. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS).Google Scholar
- Bellovin, S. M. 2002. A technique for counting NATted hosts. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement (IMW). 267--272. Google Scholar
Digital Library
- Bethencourt, J., Franklin, J.,, and Vernon, M. 2005. Mang Internet sensors with probe response attacks. In Proceedings of the 14th USENIX Security Symposium. 193--212. Google Scholar
Digital Library
- Blundo, C. and Cimato, S. 2002. SAWM: A tool for secure and authenticated Web metering. In Proceedings of the 14th International Conference on Software Engineering and Knowledge Engineering (SEKE’02). ACM Press, New York, 641--648. Google Scholar
Digital Library
- Casado, M. and Freedman, M. 2007. Peering through the shroud: The effect of edge opacity on IP-based client authentication. In Proceedings of 4th USENIX Symposium on Networked Systems Design and Implementation (NDSI). Google Scholar
Digital Library
- Casado, M., Garfinkel, T., Cui, W., Paxson, V., and Savage, S. 2005. Ortunistic measurement: Extracting insight from spurious traffic. In Proceedings of the 4th ACM Workshop on Hot Topics in Networks (HotNets-IV).Google Scholar
- Chen, Z. and Ji, C. 2005. A self-learning worm using importance scanning. In Proceedings of the ACM Workshop On Rapid Malcode (WORM). Google Scholar
Digital Library
- Cooke, E., Jahanian, F., and McPherson, D. 2005. The zombie roundup: Understanding, detecting, and disturbing botnets. In Proceedings of the 1st Workshop on Steps to Reducing Unwanted Traffic on the Internet. Google Scholar
Digital Library
- Dagon, D., Lee, C., and Lee, W. 2008. Corrupted DNS resolution paths: The rise of a malicious resolution authority. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).Google Scholar
- Dagon, D., Zou, C., and Lee, W. 2006. Modeling botnet propagation using time zones. In Proceedings of the 13th Network and Distributed System Security Symposium (NDSS).Google Scholar
- Daswani, N., Stolman, M., the Google Click Quality, and Teams, S. 2007. The anatomy of Clickbot.A. In Proceedings of the 1st USENIX Workshop on Hot Topics in Botnets (HotBots’07). Google Scholar
Digital Library
- DNS-snoop. DNS Cache Snooping or Snooping the Cache for Fun and Profit. http://www.sysvalue.com/papers/DNS-Cache-Snooping/files/DNS_Cache_Snooping_1.1.pdf.Google Scholar
- FBI. 2006. FBI computer crime survey. http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm.Google Scholar
- FBI. 2007. FBI botnet cyber crime report. http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm.Google Scholar
- Franklin, J., Paxson, V., Perrig, A., and Savage, S. 2007. An inquiry into the nature and causes of the wealth of Internet miscreants. In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, New York, 375--388. Google Scholar
Digital Library
- Franklin, M. K. and Malkhi, D. 1997. Auditable metering with lightweight security. In Financial Cryptography. 151--160. Google Scholar
Digital Library
- Freiling, F., Holz, T., and Wicherski, G. 2005. Botnet tracking: Exploring a root-cause methodology to prevent denial-of-service attacks. In Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS’05). Google Scholar
Digital Library
- GreyMagic. 2002. Exploiting the Google toolbar. http://www.greymagic.com/security/advisories/gm001-mc/.Google Scholar
- Gu, G., Porras, P., Yegneswaran, V., Fong, M., and Lee, W. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium. 167--182. Google Scholar
Digital Library
- Honeynet. 2005. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots/.Google Scholar
- IP2Location. Bringing geography to the Internet. http://www.ip2location.com/.Google Scholar
- Jung, J., Burger, A., and Balakrishnan, H. 2003. Modeling TTL-based Internet caches. In Proceedings of the IEEE INFOCOMM.Google Scholar
- Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2008. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, New York, 3--14. Google Scholar
Digital Library
- Measurement Factory 2009. The Measurement Factory DNS Survey. http://dns.measurement-factory.com/surveys/200910.html.Google Scholar
- Metwally, A., Agrawal, D., Abbad, A. E., and Zheng, Q. 2007. On hit inflation techniques and detection in streams of Web advertising networks. In Proceedings of the 27th International Conference on Distributed Computing Systems (ICDCS’07). IEEE Computer Society, Los Alamitos, CA, 52. Google Scholar
Digital Library
- Moore, D. 2002. Network telescopes: Observing small or distant security events. In Proceedings of the 11th USENIX Security Symposium.Google Scholar
- Naor, M. and Pinkas, B. 1998. Secure and efficient metering. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 1403, 576--591.Google Scholar
Cross Ref
- Naraine, R. 2007. Unpatched Google toolbar flaw presents ID theft risk. http://www.eweek.com/c/a/Security/Unpatched-Google-Toolbar-Flaw-Presents-ID-Theft-Risk/.Google Scholar
- Ntoulas, A., Cho, J., and Olston, C. 2004. What’s new on the Web? The evolution of the Web from a search engine perspective. In Proceedings of the 13th International World Wide Web Conference (WWW). 1--12. Google Scholar
Digital Library
- Paxson, V. and Floyd, S. 1995. Wide-area traffic: The failure of poisson modeling. IEEE/ACM Trans. Network. 3, 226--244. Google Scholar
Digital Library
- Rajab, M. A., Monrose, F., and Terzis, A. 2006. Fast and evasive attacks: Highlighting the challenges ahead. In Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID). 206--225. Google Scholar
Digital Library
- Rajab, M. A., Monrose, F., Terzis, A., and Provos, N. 2008. Peeking through the cloud. In Proceedings of the 6th Applied Cryptography and Network Security Conference.Google Scholar
- Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2006. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the ACM SIGCOMM/USENIX Internet Measurement Conference (IMC). 41--52. Google Scholar
Digital Library
- Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2007. My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. In Proceedings of the 1st USENIX Workshop on Hot Topics in Botnets (HotBots’07). Google Scholar
Digital Library
- Ross, S. M. 1993. Introduction to Probability Models. Academic Press.Google Scholar
- Shaikh, A., Tewari, R., and Agrawal, M. 2001. On the effectiveness of DNS-based server selection. In Proceedings of the IEEE INFOCOM. 3, 1801--1810.Google Scholar
- Shinoda, Y., Ikai, K., and Itoh, M. 2005. Vulnerabilities of passive Internet threat monitors. In Proceedings of the 14th USENIX Security Symposium. 209--224. Google Scholar
Digital Library
- Story, L. 2007. How many site hits? depends on who’s counting. New York Times article. http://www.nytimes.com/2007/10/22/technology/22click.html?_r=3&pagewanted=1&ref= technology&oref=slogin.Google Scholar
- Wills, C. E., Mikhailov, M., and Shang, H. 2003. Inferring relative popularity of Internet applications by actively querying DNS caches. In Proceedings of the Internet Measurement Conference (IMC). Google Scholar
Digital Library
Index Terms
Peeking Through the Cloud: Client Density Estimation via DNS Cache Probing
Recommendations
Peeking through the cloud: DNS-based estimation and its applications
ACNS'08: Proceedings of the 6th international conference on Applied cryptography and network securityReliable network demographics are quickly becoming a much sought-after digital commodity. However, as the need for more refined Internet demographics has grown, so too has the tension between privacy and utility. Unfortunately, current techniques lean ...
No peeking: privacy-preserving demand response system in smart grids
Cyber-Physical SystemsDemand response DR programs are widely used to balance the supply and demand of electricity in a smart grid. This results in a reliable electric power system. Unfortunately, privacy violation becomes a pressing challenge that drastically affects the DR ...
Review: An overview of anonymity technology usage
Anonymity technologies enable Internet users to maintain a level of privacy that prevents the collection of identifying information such as the IP address. Understanding the deployment of anonymity technologies on the Internet is important to analyze ...






Comments