worm blog: Detecting Mass-Mailing Worm Infected Hosts by Mining DNS Traffic Data

« A Topologically-Aware Worm Propagation Model for Wireless Sensor Networks | Main | What the heck? »

Detecting Mass-Mailing Worm Infected Hosts by Mining DNS Traffic Data

This paper came up in the comments of a recent post. I like it quite a bit, and I'm convinced that in most mass-mailer worm cases, this is an effective solution to detecting them without any signatures.

The Domain Name System (DNS) is a critical infrastructure in the Internet; thus, monitoring its traffic, and protecting DNS from malicious activities are important for security in cyberspace. However, it is often difficult to determine whether a DNS query is caused by malicious or normal activity, because information available in DNS traffic is limited.
We focus on the activities of mass-mailing worms and propose a method to detect hosts infected by mass-mailing worms by mining DNS traffic data. Our method begins with a small amount of a priori knowledge about a signature query. By assuming that queries sent by most hosts that have sent the signature query of worms have been sent by worm behavior, we detect infected hosts using Bayesian estimation.
We apply our method to DNS traffic data captured at one of the largest commercial Internet Service Providers in Japan, and the experimental result indicates that an 89% reduction of mail exchange queries can be achieved with the method.

Source: Detecting Mass-Mailing Worm Infected Hosts by Mining DNS Traffic Data, Keisuke Ishibashi, Tsuyoshi Toyono, Katsuyasu Toyama, Masahiro Ishino, Haruhiko Ohshima, and Ichiro Mizukoshi.

March 16, 2006 | Permalink
Tell others: digg submit | del.icio.us this | Reddit