论文信息 - Entropy study on A resource record DNS query traffic from the campus network (インターネットアーキテクチャ)

Entropy study on A resource record DNS query traffic from the campus network (インターネットアーキテクチャ)

We investigated the source IP address (SIP)and query keyword (QK)based entropy changes in the A and PTR resource records (RRs) based DNS query traffic between the DNS clients and the campus DNS server through January 1st to December 31st, 2008. The results are: (1) The both entropies simultaneously decrease when the targeted attack activity is high. (2) The SIP-based entropy increases while the QK-based one decreases, simultaneously, when the random attack activity is high. (3) The SIP-based entropy decreases while the QK-based one increases, at the same time, when the host search activity is high. Therefore, we can get important information for the security incidents by only observing the DNS query traffic.

[1] Yasuo Musashi,et al. A DNS-based countermeasure technology for bot worm-infected PC terminals in the campus network , 2006 .

[2] Jose Nazario,et al. Defense and Detection Strategies against Internet Worms , 2003 .

[3] Ludena Romana. Entropy Study on A and PTR Resource Record-Based DNS Query Traffic , 2008 .

[4] Bill McCarty,et al. Botnets: Big and Bigger , 2003, IEEE Secur. Priv..

[5] Yasuo Musashi,et al. Development of Automatic Detection and Prevention Systems of DNS Query PTR record-based Distributed Denial-of-Service Attack , 2004 .

[6] Bernhard Plattner,et al. Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[7] Yasuo Musashi,et al. DNS based Security Incidents Detection in Campus Network , 2008 .