Results 1 - 10
of
20
Bayesian bot detection based on dns traffic similarity
- In: SAC ’09: Proceedings of the 2009 ACM Symposium on Applied Computing. ACM
, 2009
"... ABSTRACT Bots often are detected by their communication with a command and control (C&C) infrastructure. To evade detection, botmasters are increasingly obfuscating C&C communications, e.g., by using fastflux or peer-to-peer protocols. However, commands tend to elicit similar actions in bot ..."
Abstract
-
Cited by 11 (0 self)
- Add to MetaCart
(Show Context)
ABSTRACT Bots often are detected by their communication with a command and control (C&C) infrastructure. To evade detection, botmasters are increasingly obfuscating C&C communications, e.g., by using fastflux or peer-to-peer protocols. However, commands tend to elicit similar actions in bots of a same botnet. We propose and evaluate a Bayesian approach for detecting bots based on the similarity of their DNS traffic to that of known bots. Experimental results and sensitivity analysis suggest that the proposed method is effective and robust.
A DNS-based Countermeasure Technology for Bot Worm-infected PC terminals in the Campus Network
"... Abstract: The DNS query traffic in a campus top domain DNS server were statistically investigated in order to find out the security incidents, especially bot worm (BW)-infected PCs on the campus network. The interesting results are obtained: (1) The total traffic of the DNS query access from the out ..."
Abstract
-
Cited by 6 (4 self)
- Add to MetaCart
Abstract: The DNS query traffic in a campus top domain DNS server were statistically investigated in order to find out the security incidents, especially bot worm (BW)-infected PCs on the campus network. The interesting results are obtained: (1) The total traffic of the DNS query access from the outside of the campus network frequently correlates with that of the number of their unique source IP addresses. (2) The unique source IP address-based entropy (randomness) also frequently correlates well with the query contents-based one. Therefore, these results indicate that we can detect suspicious IP hosts, especially, spam bots in the campus network by only watching DNS query traffic from the outside of the university. Keywords: Bot worm, DNS-based detection, worm detection, entropy analysis, spam bot 1.
Characterizing dark dns behavior
- In Fourth GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA ’07
, 2007
"... Abstract. Security researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been thoroughly scrutinized, little attention has ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Security researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been thoroughly scrutinized, little attention has been paid to DNS queries targeting these addresses. In this paper, we introduce the concept of dark DNS, the DNS queries associated with darknet addresses, and characterize the data collected from a large operational network by our dark DNS sensor. We discuss the implications of sensor evasion via DNS reconnaissance and emphasize the importance of reverse DNS authority when deploying darknet sensors to prevent attackers from easily evading monitored darknets. Finally, we present honeydns, a tool that complements existing network sensors and low-interaction honeypots by providing simple DNS services. Key words: DNS, reconnaissance, honeypots, sensors, darknets 1
Extending black domain name list by using co-occurrence relation
- in LEET’10
, 2010
"... The Botnet threats, such as server attacks or sending of spam email, have been increasing. A method of using a blacklist of domain names has been proposed to find infected hosts. However, not all infected hosts may be found by this method because a blacklist does not cover all black domain names. In ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
The Botnet threats, such as server attacks or sending of spam email, have been increasing. A method of using a blacklist of domain names has been proposed to find infected hosts. However, not all infected hosts may be found by this method because a blacklist does not cover all black domain names. In this paper, we present a method for finding unknown black domain names and extend the blacklist by using DNS traffic data and the original blacklist of known black domain names. We use co-occurrence relation of two different domain names to find unknown black domain names and extend a blacklist. If a domain name co-occurs with a known black name frequently, we assume that the domain name is also black. We evaluate the proposed method by cross validation, about 91 % of domain names that are in the validation list can be found as top 1 %. 1
Security Monitoring of DNS Traffic
, 2006
"... The Domain Name System (DNS) is a critical part of the Internet. This paper analyzes methods for passive DNS replication and describes the replication setup at the University of Auckland. Analysis of the replicated DNS traffic showed great dependency of collaborative anti-spam tools on the DNS. Thes ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
The Domain Name System (DNS) is a critical part of the Internet. This paper analyzes methods for passive DNS replication and describes the replication setup at the University of Auckland. Analysis of the replicated DNS traffic showed great dependency of collaborative anti-spam tools on the DNS. These tools also put a great burden on the DNS. This paper discusses analyzed anomalies in the replicated DNS traffic: typo squatter and fast flux domains, private IP address space leaks and non recommended characters in DNS names. Future applications of passive DNS replication are also discussed. 1.
Detection of Anomalous Mailing Behavior Using Novel Data Mining Approaches
"... The paper presents a novel method for detecting anomalous mailing behavior based on data mining approaches. Known or unknown email viruses may cause anomalous behaviors. Such behavior can be measured by deviations from a user’s normal behavior. Grouping and association analysis are used to establish ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
The paper presents a novel method for detecting anomalous mailing behavior based on data mining approaches. Known or unknown email viruses may cause anomalous behaviors. Such behavior can be measured by deviations from a user’s normal behavior. Grouping and association analysis are used to establish a normal user profile. The building process is divided into two stages- first, group relation analysis and second, dependence relation analysis. Only group relationship analysis or both analyses may be selected, depending on the amount of data available to solve real problems. Bulk amounts of SENDMAIL log data are analyzed and virus behavior simulated. Empirical results indicate that this method of detecting anomalous mailing behavior, based on data mining, is highly accurate. A prototype system has also been designed and constructed.
Statistical Study of Unusual DNS Query Traffic
"... We statistically investigated on the unusual big DNS resolution traffic toward the top domain DNS server from a university local campus network in April 11th, 2006. The following results are obtained: (1) In April 11th, the DNS query traffic includes a lot of fully qualified domain names (FQDNs) of ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
We statistically investigated on the unusual big DNS resolution traffic toward the top domain DNS server from a university local campus network in April 11th, 2006. The following results are obtained: (1) In April 11th, the DNS query traffic includes a lot of fully qualified domain names (FQDNs) of several specific web sites as name resolution keywords. (2) Also, the DNS query traffic includes a plenty of source IP addresses of PC clients. Also (3), the several DNS query keywords including specific well-known web sites can be found in the DNS traffic. Therefore, it can be concluded that we can detect the unusual traffic and bots worm activity (DDoS attacks and/or prescannings) by assuming a threshold based statisti-cal detection model and checking the several specific
EARLY DETECTION OF MALICIOUS WEB CONTENT WITH APPLIED MACHINE LEARNING
, 2011
"... Early detection of malicious web content with applied machine learning ..."
(Show Context)
Timely Event Detection by Networked Learners
"... Abstract-We consider a set of distributed learners that are interconnected via an exogenously-determined network. The learners observe different data streams that are related to common events of interest, which need to be detected in a timely manner. Each learner is equipped with a set of local cla ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract-We consider a set of distributed learners that are interconnected via an exogenously-determined network. The learners observe different data streams that are related to common events of interest, which need to be detected in a timely manner. Each learner is equipped with a set of local classifiers, which generate local predictions about the common event based on the locally observed data streams. In this work, we address the following key questions: (1) Can the learners improve their detection accuracy by exchanging and aggregating information? (2) Can the learners improve the timeliness of their detections by forming clusters, i.e., by collecting information only from surrounding learners? (3) Given a specific tradeoff between detection accuracy and detection delay, is it desirable to aggregate a large amount of information, or is it better to focus on the most recent and relevant information? To address these questions, we propose a cooperative online learning scheme in which each learner maintains a set of weight vectors (one for each possible cluster), selects a cluster and the corresponding weight vector, generates a local prediction, disseminates it through the network, and combines all the received local predictions from the learners belonging to the selected cluster by using a weighted majority rule. The optimal cluster and weight vector that a learner should adopt depend on the specific network topology, on the location of the learner in the network, and on the characteristics of the data streams. To learn such optimal values, we propose a general online learning rule that exploits only the feedbacks that the learners receive. We determine an upper bound for the worstcase mis-detection probability and for the worst-case prediction delay of our scheme in the realizable case. Numerical simulations show that the proposed scheme is able to successfully adapt to the unknown characteristics of the data streams and can achieve substantial performance gains with respect to a scheme in which the learners act individually or a scheme in which the learners always aggregate all available local predictions. We numerically evaluate the impact that different network topologies have on the final performance. Finally, we discuss several surprising existing trade-offs.
Flow Level Data Mining of DNS Query Streams for Email Worm Detection
, 2009
"... Abstract. Email worms remain a major network security concern, as they increasingly attack systems with intensity using more advanced social engineering tricks. Their extremely high prevalence clearly indicates that current network defence mechanisms are intrinsically incapable of mitigating email ..."
Abstract
- Add to MetaCart
Abstract. Email worms remain a major network security concern, as they increasingly attack systems with intensity using more advanced social engineering tricks. Their extremely high prevalence clearly indicates that current network defence mechanisms are intrinsically incapable of mitigating email worms, and thereby reducing unwanted email traffic traversing the Internet. In this paper we study the effect email worms have on the flow-level characteristics of DNS query streams a user machine generates. We propose a method based on unsupervised learning and time series analysis to early detect email worms on the local name server, which is located topologically near the infected machine. We evaluate our method against an email worm DNS query stream dataset that consists of 68 email worm instances and show that it exhibits remarkable accuracy in detecting various email worm instances 1 .
