Minzhao Lyu

Agung Septiadi, Minzhao Lyu, Hassan Habibi Gharakheili et al.

Online government services are increasingly regarded as critical national infrastructure. Because these services directly influence public trust, any disruption can have significant societal and political consequences. Yet their supporting infrastructures remain vulnerable to outages from natural disasters, geopolitical tensions, and targeted attacks. Central to their operation is the authoritative Domain Name System (DNS) infrastructure, the single source of truth that maps government domain names to service endpoints. While indispensable, this infrastructure also represents a potential and critical point of system failure. In this paper, we introduce a comprehensive assessment framework with purpose-designed mechanisms to systematically evaluate the operational resilience of authoritative DNS infrastructure supporting government services. Complementing prior studies on website hosting, recursive resolution, and DNS record integrity, our work provides a holistic view of authoritative DNS operation. Our first contribution develops a multi-sourced data schema that characterizes a (government) domain's authoritative DNS infrastructure across four hierarchical levels: physical hosting infrastructure, server functionality, name servers, and individual hosting instances. Using data collected from six representative countries, our second contribution identifies resilience attributes at their finest applicable hierarchy across three operational phases: infrastructure placement, service configuration, and DNS record dispatch. Our method assigns numerical scores to each attribute and aggregates them algorithmically to enable consistent and cross-domain comparisons. We apply our method to government domains in the six countries, highlighting their strengths and weaknesses in authoritative DNS resilience and pinpointing operational practices that require improvement.

Rushi Jayeshkumar Babaria, Minzhao Lyu, Gustavo Batista et al.

Network traffic classification is of great importance for network operators in their daily routines, such as analyzing the usage patterns of multimedia applications and optimizing network configurations. Internet service providers (ISPs) that operate high-speed links expect network flow classifiers to accurately classify flows early, using the minimal number of necessary initial packets per flow. These classifiers must also be robust to packet sequence disorders in candidate flows and capable of detecting unseen flow types that are not within the existing classification scope, which are not well achieved by existing methods. In this paper, we develop FastFlow, a time-series flow classification method that accurately classifies network flows as one of the known types or the unknown type, which dynamically selects the minimal number of packets to balance accuracy and efficiency. Toward the objectives, we first develop a flow representation process that converts packet streams at both per-packet and per-slot granularity for precise packet statistics with robustness to packet sequence disorders. Second, we develop a sequential decision-based classification model that leverages LSTM architecture trained with reinforcement learning. Our model makes dynamic decisions on the minimal number of time-series data points per flow for the confident classification as one of the known flow types or an unknown one. We evaluated our method on public datasets and demonstrated its superior performance in early and accurate flow classification. Deployment insights on the classification of over 22.9 million flows across seven application types and 33 content providers in a campus network over one week are discussed, showing that FastFlow requires an average of only 8.37 packets and 0.5 seconds to classify the application type of a flow with over 91% accuracy and over 96% accuracy for the content providers.

Yifan Wang, Minzhao Lyu, Vijay Sivaraman

To tap into the growing market of cloud gaming, whereby game graphics is rendered in the cloud and streamed back to the user as a video feed, network operators are creating monetizable assurance services that dynamically provision network resources. However, without accurately measuring cloud gaming user experience, they cannot assess the effectiveness of their provisioning methods. Basic measures such as bandwidth and frame rate by themselves do not suffice, and can only be interpreted in the context of the game played and the player activity within the game. This paper equips the network operator with a method to obtain a real-time measure of cloud gaming experience by analyzing network traffic, including contextual factors such as the game title and player activity stage. Our method is able to classify the game title within the first five seconds of game launch, and continuously assess the player activity stage as being active, passive, or idle. We deploy it in an ISP hosting NVIDIA cloud gaming servers for the region. We provide insights from hundreds of thousands of cloud game streaming sessions over a three-month period into the dependence of bandwidth consumption and experience level on the gameplay contexts.

Minzhao Lyu, Hassan Habibi Gharakheili, Craig Russell et al.

The Domain Name System (DNS) is a critical service that enables domain names to be converted to IP addresses (or vice versa); consequently, it is generally permitted through enterprise security systems (e.g., firewalls) with little restriction. This has exposed organizational networks to DDoS, exfiltration, and reflection attacks, inflicting significant financial and reputational damage. Large organizations with loosely federated IT departments (e.g., Universities and Research Institutes) often do not even fully aware of all their DNS assets and vulnerabilities, let alone the attack surface they expose to the outside world. In this paper, we address the "DNS blind spot" by developing methods to passively analyze live DNS traffic, identify organizational DNS assets, and monitor their health on a continuous basis. Our contributions are threefold. First, we perform a comprehensive analysis of all DNS traffic in two large organizations (a University Campus and a Government Research Institute) for over a month, and identify key behavioral profiles for various asset types such as recursive resolvers, authoritative name servers, and mixed DNS servers. Second, we develop an unsupervised clustering method that classifies enterprise DNS assets using the behavioral attributes identified, and demonstrate that our method successfully classifies over 100 DNS assets across the two organizations. Third, our method continuously tracks various health metrics across the organizational DNS assets and identifies several instances of improper configuration, data exfiltration, DDoS, and reflection attacks. We believe the passive analysis methods in this paper can help enterprises monitor organizational DNS health in an automated and risk-free manner.

Minzhao Lyu, Hassan Habibi Gharakheili, Vijay Sivaraman

The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.