WEKO3
アイテム
NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking
https://ipsj.ixsq.nii.ac.jp/records/203159
https://ipsj.ixsq.nii.ac.jp/records/2031592025240d-d264-42e1-a2d6-5f180d90c1f6
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JNL6102031.pdf (1.8 MB)
|
Copyright (c) 2020 by the Information Processing Society of Japan
|
|
| オープンアクセス | ||
| Item type | Journal(1) | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2020-02-15 | |||||||||||||
| タイトル | ||||||||||||||
| タイトル | NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking | |||||||||||||
| タイトル | ||||||||||||||
| 言語 | en | |||||||||||||
| タイトル | NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking | |||||||||||||
| 言語 | ||||||||||||||
| 言語 | eng | |||||||||||||
| キーワード | ||||||||||||||
| 主題Scheme | Other | |||||||||||||
| 主題 | [特集:ネットワークサービスと分散処理] Botnet communication, DNS, NS record, glue A record, direct outbound query, NS history database | |||||||||||||
| 資源タイプ | ||||||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||||||
| 資源タイプ | journal article | |||||||||||||
| 著者所属 | ||||||||||||||
| Graduate School of Information Science and Technology, Hokkaido University/Technical Department, Tokyo Institute of Technology | ||||||||||||||
| 著者所属 | ||||||||||||||
| Global Scientific Information and Computing Center, Tokyo Institute of Technology | ||||||||||||||
| 著者所属 | ||||||||||||||
| Information Initiative Center, Hokkaido University | ||||||||||||||
| 著者所属 | ||||||||||||||
| Information Initiative Center, Hokkaido University | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| Graduate School of Information Science and Technology, Hokkaido University / Technical Department, Tokyo Institute of Technology | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| Global Scientific Information and Computing Center, Tokyo Institute of Technology | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| Information Initiative Center, Hokkaido University | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| Information Initiative Center, Hokkaido University | ||||||||||||||
| 著者名 |
Hikaru, Ichise
× Hikaru, Ichise
× Yong, Jin
× Katsuyoshi, Iida
× Yoshiaki, Takai
|
|||||||||||||
| 著者名(英) |
Hikaru, Ichise
× Hikaru, Ichise
× Yong, Jin
× Katsuyoshi, Iida
× Yoshiaki, Takai
|
|||||||||||||
| 論文抄録 | ||||||||||||||
| 内容記述タイプ | Other | |||||||||||||
| 内容記述 | DNS (Domain Name System) based name resolution is one of the most fundamental Internet services for both of the Internet users and Internet service providers. In normal DNS based name resolution process, the corresponding NS (Name Server) records are required prior to sending a DNS query to the authoritative DNS servers. However, in recent years, DNS based botnet communication has been observed in which botnet related network traffic is transferred via DNS queries and responses. In particular, it has been observed that, in some types of malware, DNS queries will be sent to the C&C servers using an IP address directly without obtaining the corresponding NS records in advance. In this paper, we propose a novel mechanism to detect and block abnormal DNS traffic by analyzing the achieved NS record history in intranet. In the proposed mechanism, all DNS traffic of an intranet will be captured and analyzed in order to extract the legitimate NS records and the corresponding glue A records (the IP address(es) of a name server) which will be stored in a white list database. Then all the outgoing DNS queries will be checked and those destined to the IP addresses that are not included in the white list will be blocked as abnormal DNS traffic. We have implemented a prototype system and evaluated the functionality in an SDN-based experimental network. The results showed that the prototype system worked well as we expected and accordingly we consider that the proposed mechanism is capable of detecting and blocking some specific types of abnormal DNS-based botnet communication. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.28(2018) (online) DOI http://dx.doi.org/10.2197/ipsjjip.28.112 ------------------------------ |
|||||||||||||
| 論文抄録(英) | ||||||||||||||
| 内容記述タイプ | Other | |||||||||||||
| 内容記述 | DNS (Domain Name System) based name resolution is one of the most fundamental Internet services for both of the Internet users and Internet service providers. In normal DNS based name resolution process, the corresponding NS (Name Server) records are required prior to sending a DNS query to the authoritative DNS servers. However, in recent years, DNS based botnet communication has been observed in which botnet related network traffic is transferred via DNS queries and responses. In particular, it has been observed that, in some types of malware, DNS queries will be sent to the C&C servers using an IP address directly without obtaining the corresponding NS records in advance. In this paper, we propose a novel mechanism to detect and block abnormal DNS traffic by analyzing the achieved NS record history in intranet. In the proposed mechanism, all DNS traffic of an intranet will be captured and analyzed in order to extract the legitimate NS records and the corresponding glue A records (the IP address(es) of a name server) which will be stored in a white list database. Then all the outgoing DNS queries will be checked and those destined to the IP addresses that are not included in the white list will be blocked as abnormal DNS traffic. We have implemented a prototype system and evaluated the functionality in an SDN-based experimental network. The results showed that the prototype system worked well as we expected and accordingly we consider that the proposed mechanism is capable of detecting and blocking some specific types of abnormal DNS-based botnet communication. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.28(2018) (online) DOI http://dx.doi.org/10.2197/ipsjjip.28.112 ------------------------------ |
|||||||||||||
| 書誌レコードID | ||||||||||||||
| 収録物識別子タイプ | NCID | |||||||||||||
| 収録物識別子 | AN00116647 | |||||||||||||
| 書誌情報 |
情報処理学会論文誌 巻 61, 号 2, 発行日 2020-02-15 |
|||||||||||||
| ISSN | ||||||||||||||
| 収録物識別子タイプ | ISSN | |||||||||||||
| 収録物識別子 | 1882-7764 | |||||||||||||
