While you can easily recognize someone by name instead of their official ID or phone number, Domain Name System (DNS) provides a convenient way to name and access internet services or resources behind IP addresses. The prevalence of DNS, its critical role for network connectivity, and the failure of most network security policies to monitor network traffic using UDP port 53 make DNS attractive to malicious actors. Some of the best known DNS-based security threats implement malware command and control communications (C&C), data theft, fast streaming, and domain-generated algorithms, knowing that traditional security solutions cannot detect them.
For over two decades, Infoblox has worked as a leading provider of technology and services to manage and secure networking kernel such as DNS, DHCP and IP address management (collectively known as DDI). More than 500 customers, including more than a third of Fortune 8,000, rely on Infoblox to reliably automate, manage and secure their on-premises, cloud and hybrid networks.
Over the past 5 years, Infoblox has used AWS to create SaaS services and help customers extend DDI services from on-premises physical devices to the cloud. The focus of this post is How Infoblox is used Amazon SageMaker and other AWS services are used to create a DNS security analysis service to detect customer branding abuse, corruption, and impersonation.
The detection of customer brands or domain names targeted by socially designed attacks has emerged as an important requirement for security analytics services offered to customers. In the context of DNS, the synonymous word is visually a domain name similar to another domain, it says target. Malicious actors can be used to impersonate very valuable domain name targets and drop malware, phishing user information, attack a brand’s reputation, etc. Of course, users cannot easily distinguish homographs from legitimate domain names. In some cases, homographs and target areas cannot be distinguished from a visual comparison alone.
A traditional domain name consists of ASCII character encoding scheme with 128 code points (or possible characters), or numbers, letters, and dashes from Extended ASCII with 256 code points. International domain names (IDNs) can be written in languages that allow the use of Unicode characters, or Latin letters with ligatures or accents (such as é or ü), or that do not use the Latin alphabet. everything. IDNs offer comprehensive alphabets for most writing systems and languages, and allow you to access the internet in your own language. Similarly, as internet usage is growing all over the world, IDNs offer a great way for anyone to connect to their target market, no matter what language they speak. To enable so many languages, each IDN is represented in Punycode, which consists of a series of ASCII characters.