Detecting mass-mailing worm infected hosts by mining DNS traffic data

Authors:
Keisuke Ishibashi;Tsuyoshi Toyono;Katsuyasu Toyama;Masahiro Ishino;Haruhiko Ohshima;Ichiro Mizukoshi
Affiliations:
NTT Corporation, Tokyo, Japan;NTT Corporation, Tokyo, Japan;NTT Corporation, Tokyo, Japan;NTT Communications Corporation, Tokyo, Japan;NTT Communications Corporation, Tokyo, Japan;NTT Communications Corporation, Tokyo, Japan
Venue:
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Year:
2005

Citing 5
Cited 5

A statistical approach to the spam problem

Linux Journal
Learning nonstationary models of normal network traffic for detecting novel attacks

Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Data Mining Methods for Detection of New Malicious Executables

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Inferring relative popularity of internet applications by actively querying DNS caches

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
A study of mass-mailing worms

Proceedings of the 2004 ACM workshop on Rapid malcode

A new worm exploiting IPv4-IPv6 dual-stack networks

Proceedings of the 2007 ACM workshop on Recurring malcode
Characterizing Dark DNS Behavior

DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Bayesian bot detection based on DNS traffic similarity

Proceedings of the 2009 ACM symposium on Applied Computing
Using Artificial Intelligence for Intrusion Detection

Proceedings of the 2007 conference on Emerging Artificial Intelligence Applications in Computer Engineering: Real Word AI Systems with Applications in eHealth, HCI, Information Retrieval and Pervasive Technologies
Extending black domain name list by using co-occurrence relation between DNS queries

LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more

Quantified Score

Hi-index	0.01

Visualization

Abstract

The Domain Name System (DNS) is a critical infrastructure in the Internet; thus, monitoring its traffic, and protecting DNS from malicious activities are important for security in cyberspace. However, it is often difficult to determine whether a DNS query is caused by malicious or normal activity, because information available in DNS traffic is limited.We focus on the activities of mass-mailing worms and propose a method to detect hosts infected by mass-mailing worms by mining DNS traffic data. Our method begins with a small amount of a priori knowledge about a signature query. By assuming that queries sent by most hosts that have sent the signature query of worms have been sent by worm behavior, we detect infected hosts using Bayesian estimation.We apply our method to DNS traffic data captured at one of the largest commercial Internet Service Providers in Japan, and the experimental result indicates that an 89% reduction of mail exchange queries can be achieved with the method.