A statistical approach to the spam problem
Linux Journal
Learning nonstationary models of normal network traffic for detecting novel attacks
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Data Mining Methods for Detection of New Malicious Executables
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Inferring relative popularity of internet applications by actively querying DNS caches
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Proceedings of the 2004 ACM workshop on Rapid malcode
A new worm exploiting IPv4-IPv6 dual-stack networks
Proceedings of the 2007 ACM workshop on Recurring malcode
Characterizing Dark DNS Behavior
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Bayesian bot detection based on DNS traffic similarity
Proceedings of the 2009 ACM symposium on Applied Computing
Using Artificial Intelligence for Intrusion Detection
Proceedings of the 2007 conference on Emerging Artificial Intelligence Applications in Computer Engineering: Real Word AI Systems with Applications in eHealth, HCI, Information Retrieval and Pervasive Technologies
Extending black domain name list by using co-occurrence relation between DNS queries
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Hi-index | 0.01 |
The Domain Name System (DNS) is a critical infrastructure in the Internet; thus, monitoring its traffic, and protecting DNS from malicious activities are important for security in cyberspace. However, it is often difficult to determine whether a DNS query is caused by malicious or normal activity, because information available in DNS traffic is limited.We focus on the activities of mass-mailing worms and propose a method to detect hosts infected by mass-mailing worms by mining DNS traffic data. Our method begins with a small amount of a priori knowledge about a signature query. By assuming that queries sent by most hosts that have sent the signature query of worms have been sent by worm behavior, we detect infected hosts using Bayesian estimation.We apply our method to DNS traffic data captured at one of the largest commercial Internet Service Providers in Japan, and the experimental result indicates that an 89% reduction of mail exchange queries can be achieved with the method.