K. Ishibashi, Tsuyoshi Toyono, Katsuyasu Toyama, Masahiro Ishino, Haruhiko Ohshima, I. Mizukoshi
{"title":"通过挖掘DNS流量数据检测群发邮件蠕虫感染主机","authors":"K. Ishibashi, Tsuyoshi Toyono, Katsuyasu Toyama, Masahiro Ishino, Haruhiko Ohshima, I. Mizukoshi","doi":"10.1145/1080173.1080175","DOIUrl":null,"url":null,"abstract":"The Domain Name System (DNS) is a critical infrastructure in the Internet; thus, monitoring its traffic, and protecting DNS from malicious activities are important for security in cyberspace. However, it is often difficult to determine whether a DNS query is caused by malicious or normal activity, because information available in DNS traffic is limited.We focus on the activities of mass-mailing worms and propose a method to detect hosts infected by mass-mailing worms by mining DNS traffic data. Our method begins with a small amount of a priori knowledge about a signature query. By assuming that queries sent by most hosts that have sent the signature query of worms have been sent by worm behavior, we detect infected hosts using Bayesian estimation.We apply our method to DNS traffic data captured at one of the largest commercial Internet Service Providers in Japan, and the experimental result indicates that an 89% reduction of mail exchange queries can be achieved with the method.","PeriodicalId":216113,"journal":{"name":"Annual ACM Workshop on Mining Network Data","volume":"85 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-08-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"49","resultStr":"{\"title\":\"Detecting mass-mailing worm infected hosts by mining DNS traffic data\",\"authors\":\"K. Ishibashi, Tsuyoshi Toyono, Katsuyasu Toyama, Masahiro Ishino, Haruhiko Ohshima, I. Mizukoshi\",\"doi\":\"10.1145/1080173.1080175\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The Domain Name System (DNS) is a critical infrastructure in the Internet; thus, monitoring its traffic, and protecting DNS from malicious activities are important for security in cyberspace. However, it is often difficult to determine whether a DNS query is caused by malicious or normal activity, because information available in DNS traffic is limited.We focus on the activities of mass-mailing worms and propose a method to detect hosts infected by mass-mailing worms by mining DNS traffic data. Our method begins with a small amount of a priori knowledge about a signature query. By assuming that queries sent by most hosts that have sent the signature query of worms have been sent by worm behavior, we detect infected hosts using Bayesian estimation.We apply our method to DNS traffic data captured at one of the largest commercial Internet Service Providers in Japan, and the experimental result indicates that an 89% reduction of mail exchange queries can be achieved with the method.\",\"PeriodicalId\":216113,\"journal\":{\"name\":\"Annual ACM Workshop on Mining Network Data\",\"volume\":\"85 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2005-08-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"49\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Annual ACM Workshop on Mining Network Data\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/1080173.1080175\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Annual ACM Workshop on Mining Network Data","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1080173.1080175","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Detecting mass-mailing worm infected hosts by mining DNS traffic data
The Domain Name System (DNS) is a critical infrastructure in the Internet; thus, monitoring its traffic, and protecting DNS from malicious activities are important for security in cyberspace. However, it is often difficult to determine whether a DNS query is caused by malicious or normal activity, because information available in DNS traffic is limited.We focus on the activities of mass-mailing worms and propose a method to detect hosts infected by mass-mailing worms by mining DNS traffic data. Our method begins with a small amount of a priori knowledge about a signature query. By assuming that queries sent by most hosts that have sent the signature query of worms have been sent by worm behavior, we detect infected hosts using Bayesian estimation.We apply our method to DNS traffic data captured at one of the largest commercial Internet Service Providers in Japan, and the experimental result indicates that an 89% reduction of mail exchange queries can be achieved with the method.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
