论文信息 - A DNS-based countermeasure technology for bot worm-infected PC terminals in the campus network

A DNS-based countermeasure technology for bot worm-infected PC terminals in the campus network

The DNS query traffic in a campus top domain DNS server were statistically investigated in order to find out the security incidents, especially bot worm (BW)-infected PCs on the campus network. The interesting results are obtained: (1) The total traffic of the DNS query access from the outside of the campus network frequently correlates with that of the number of their unique source IP addresses. (2) The unique source IP address-based entropy (randomness) also frequently correlates well with the query contents-based one. Therefore, these results indicate that we can detect suspicious IP hosts, especially, spam bots in the campus network by only watching DNS query traffic from the outside of the university.

[1] Vinod Yegneswaran,et al. An Inside Look at Botnets , 2007, Malware Detection.

[2] Yasuo Musashi,et al. Prevention of A-record based DNS Query Packets Distributed Denial-of-Service Attack by Protocol Anomaly Detection , 2005 .

[3] Jose Nazario,et al. Defense and Detection Strategies against Internet Worms , 2003 .

[4] Bill McCarty,et al. Botnets: Big and Bigger , 2003, IEEE Secur. Priv..

[5] Bernhard Plattner,et al. Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[6] E. Kranakis,et al. Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network , .

[7] Wenke Lee,et al. Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[8] Dawn Song,et al. Malware Detection (Advances in Information Security) , 2006 .

[9] Keisuke Ishibashi,et al. Detecting mass-mailing worm infected hosts by mining DNS traffic data , 2005, MineNet '05.