Speaker
Description
DNS remains a foundational component of today's Internet infrastructure, yet it continues to be targeted by abuse techniques such as flooding, amplification, and redirection. Traditional detection approaches, often based on static rules or statistical models, struggle to adapt to evolving and obfuscated abuse tactics.
In this research, we explore a protocol-aware detection approach that leverages large language models (LLMs) for semantic analysis of DNS traffic. Unlike conventional systems, this method captures contextual and sequential patterns within DNS queries and responses, enabling the detection of nuanced forms of abuse. We categorize DNS abuse into three types: (1) flooding attacks (e.g., NXDOMAIN water torture), (2) amplification and reflection exploits (e.g., NXNS, TsuNAME), and (3) redirection and semantic manipulation (e.g., cache poisoning, SADDNS).
Our evaluation combines real-world logs, synthetic attack traces, and adversarial samples, demonstrating that LLM-based detectors can generalize to novel threats while offering explainable insights. To support operator experimentation, we also present a live demonstration via a Gradio-based web interface, showcasing how semantic detection can flag suspicious traffic in an interactive environment.
We invite discussion on the practicality, performance, and future potential of integrating LLMs into operational DNS abuse detection pipelines. This work represents a promising step toward adaptive, explainable, and generalizable defense mechanisms for the evolving DNS threat landscape.
Summary
- Motivation: Why LLMs for DNS abuse detection
- Method: Protocol-aware semantic analysis of DNS traffic
- Categories of abuse: Flooding, Amplification, Redirection
- Evaluation: Real, synthetic, and adversarial datasets
- Live Demo: Gradio-based Web UI
- Discussion: Deployment potential, limitations, and future work
| Talk duration | 10 Minutes (+5 for Q&A) |
|---|---|
| Other conferences? | The submission is scheduled for next year. |
