A DNS-based Countermeasure Technology for Bot Worm-infected PC terminals in the Campus Network
نویسندگان
چکیده
The DNS query traffic in a campus top domain DNS server were statistically investigated in order to find out the security incidents, especially bot worm (BW)-infected PCs on the campus network. The interesting results are obtained: (1) The total traffic of the DNS query access from the outside of the campus network frequently correlates with that of the number of their unique source IP addresses. (2) The unique source IP address-based entropy (randomness) also frequently correlates well with the query contents-based one. Therefore, these results indicate that we can detect suspicious IP hosts, especially, spam bots in the campus network by only watching DNS query traffic from the outside of the university.
منابع مشابه
Detecting Active Bot Networks Based on DNS Traffic Analysis
Abstract—One of the serious threats to cyberspace is the Bot networks or Botnets. Bots are malicious software that acts as a network and allows hackers to remotely manage and control infected computer victims. Given the fact that DNS is one of the most common protocols in the network and is essential for the proper functioning of the network, it is very useful for monitoring, detecting and redu...
متن کاملDetecting Bot Networks Based On HTTP And TLS Traffic Analysis
Abstract— Bot networks are a serious threat to cyber security, whose destructive behavior affects network performance directly. Detecting of infected HTTP communications is a big challenge because infected HTTP connections are clearly merged with other types of HTTP traffic. Cybercriminals prefer to use the web as a communication environment to launch application layer attacks and secretly enga...
متن کاملBotnet Malicious Activity Detection Based on DNS Traffic Analysis
In the field of internet security botnet is becoming the significant threat as more number of users are connected to internet. Botnet which is a collection of infected computers so called (bots) are becoming the major threat to internet community. The difference between a malware and botnet is that bot is remotely controlled by a C&C server which are under the control of a botmaster. Here in th...
متن کاملContainment of Fast Scanning Computer Network Worms
This paper presents a mechanism for detecting and containing fast scanning computer network worms. The countermeasure mechanism, termed NEDAC, uses a behavioural detection technique that observes the absence of DNS resolution in newly initiated outgoing connections. Upon detection of abnormal behaviour by a host, based on the absence of DNS resolution, the detection system then invokes a data l...
متن کاملEmploying machine learning algorithms to detect unknown scanning and email worms
We present a worm detection system that leverages the reliability of IP-Flow and the effectiveness of learning machines. Typically, a host infected by a scanning or an email worm initiates a significant amount of traffic that does not rely on DNS to translate names into numeric IP addresses. Based on this fact, we capture and classify NetFlow records to extract feature patterns for each PC on t...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2006