Flow Level Data Mining of DNS Query Streams for Email Worm Detection

Email worms remain a major network security concern, as they increasingly attack systems with intensity using more advanced social engineering tricks. Their extremely high prevalence clearly indicates that current network defence mechanisms are intrinsically incapable of mitigating email worms, and thereby reducing unwanted email traffic traversing the Internet. In this paper we study the effect email worms have on the flow-level characteristics of DNS query streams a user machine generates. We propose a method based on unsupervised learning and time series analysis to early detect email worms on the local name server, which is located topologically near the infected machine. We evaluate our method against an email worm DNS query stream dataset that consists of 68 email worm instances and show that it exhibits remarkable accuracy in detecting various email worm instances.

[1]  Clu-istos Foutsos,et al.  Fast subsequence matching in time-series databases , 1994, SIGMOD '94.

[2]  Christos Faloutsos,et al.  Fast subsequence matching in time-series databases , 1994, SIGMOD '94.

[3]  Hideaki Sakai,et al.  IEEE Global Telecommunications Conference (Globecom 2009) , 2009 .

[4]  Sam H. Noh,et al.  Traffic Characterization of the Web Server Attacks of Worm Viruses , 2003, International Conference on Computational Science.

[5]  Antonio Pescapè,et al.  Worm Traffic Analysis and Characterization , 2007, 2007 IEEE International Conference on Communications.

[6]  Y. Musashi,et al.  Indirect Detection of Mass Mailing Worm-Infected PC terminals for Learners , 2004 .

[7]  E. Kranakis,et al.  Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network , .

[8]  Jonathan M. McCune,et al.  A study of mass-mailing worms , 2004, WORM '04.

[9]  F. Mörchen Time series feature extraction for data mining using DWT and DFT , 2003 .

[10]  Alberto Dainotti,et al.  Wavelet-based Detection of DoS Attacks. , 2006 .

[11]  Keisuke Ishibashi,et al.  Detecting mass-mailing worm infected hosts by mining DNS traffic data , 2005, MineNet '05.

[12]  Gyungho Lee,et al.  DDoS Attack Detection and Wavelets , 2005, Telecommun. Syst..

[13]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[14]  Eamonn J. Keogh,et al.  On the Need for Time Series Data Mining Benchmarks: A Survey and Empirical Demonstration , 2002, Data Mining and Knowledge Discovery.

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[16]  Evangelos Kranakis,et al.  Addressing SMTP-Based Mass-Mailing Activity within Enterprise Networks , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[17]  Nikolaos Chatzis Motivation for Behaviour-Based DNS Security: A Taxonomy of DNS-Related Internet Threats , 2007, The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007).

[18]  Lambert Schaelicke,et al.  Characterizing the Performance of Network Intrusion Detection Sensors , 2003, RAID.

[19]  Charu C. Aggarwal,et al.  On the Surprising Behavior of Distance Metrics in High Dimensional Spaces , 2001, ICDT.

[20]  Stéphane Mallat,et al.  A Theory for Multiresolution Signal Decomposition: The Wavelet Representation , 1989, IEEE Trans. Pattern Anal. Mach. Intell..

[21]  Kai Rannenberg,et al.  Detection of Mass Mailing Worm-infected PC terminals by Observing DNS Query Access , 2004 .

[22]  Ali S. Hadi,et al.  Finding Groups in Data: An Introduction to Chster Analysis , 1991 .

[23]  Gareth J. Janacek,et al.  A Bit Level Representation for Time Series Data Mining with Shape Based Similarity , 2006, Data Mining and Knowledge Discovery.

[24]  Sumeet Singh,et al.  The EarlyBird System for Real-time Detection of Unknown Worms , 2005 .