Speaker
Description
DNS remains a foundational component of today’s Internet, yet it is a frequent target of increasingly sophisticated DDoS attacks. Traditional detection methods based on static rules or thresholds struggle to keep pace with evolving and obfuscated abuse tactics.
In this work, we take first steps toward exploring a protocol-aware detection approach that leverages large language models (LLMs) for semantic analysis of DNS traffic. Unlike conventional techniques, this approach captures contextual and sequential patterns in queries and responses, enabling the detection of subtle abuse. We group DNS abuse into five categories: flooding (e.g., query/response flooding, NXDOMAIN), reflection/amplification (e.g., NXNS, TsuNAME), redirection, subversion, and DNSSEC abuse. Our preliminary evaluation on real traces, synthetic attacks, and adversarial samples suggests that LLM-based detectors can generalize to novel threats while offering interpretable outputs. We also present a Gradio-based prototype for interactive semantic detection. We invite discussion on the practicality, performance, and future potential of integrating LLMs into operational DNS abuse detection pipelines. This work represents a promising step toward adaptive, explainable, and generalizable defense mechanisms for the evolving DNS threat landscape.
Summary
- Motivation: Why LLMs for DNS abuse detection
- Method: Protocol-aware semantic analysis of DNS traffic
- Categories of abuse: Flooding, Amplification, Redirection
- Evaluation: Real, synthetic, and adversarial datasets
- Live Demo: Gradio-based Web UI
- Discussion: Deployment potential, limitations, and future work
| Talk duration | 10 Minutes (+5 for Q&A) |
|---|---|
| Other conferences? | The submission is scheduled for next year. |
