HUSCAP logo Hokkaido Univ. logo

Hokkaido University Collection of Scholarly and Academic Papers >
Information Initiative Center >
Peer-reviewed Journal Articles, etc >

Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

Files in This Item:
e101-b_1_70.pdf1.65 MBPDFView/Open
Please use this identifier to cite or link to this item:http://hdl.handle.net/2115/71053

Title: Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection
Authors: ICHISE, Hikaru Browse this author
JIN, Yong Browse this author
IIDA, Katsuyoshi Browse this author
Keywords: botnet communication
DNS TXT record
via-resolver DNS query
direct outbound DNS query
indirect outbound DNS query
Issue Date: Jan-2018
Publisher: The Institute of Electronics, Information and Communication Engineers
Journal Title: IEICE Transactions on Communications
Volume: E101.B
Issue: 1
Start Page: 70
End Page: 79
Publisher DOI: 10.1587/transcom.2017ITP0009
Abstract: There have been several recent reports that botnet communication between bot-infected computers and Command and Control servers (C&C servers) using the Domain Name System (DNS) protocol has been used by many cyber attackers. In particular, botnet communication based on the DNS TXT record type has been observed in several kinds of botnet attack. Unfortunately, the DNS TXT record type has many forms of legitimate usage, such as hostname description. In this paper, in order to detect and block out botnet communication based on the DNS TXT record type, we first differentiate between legitimate and suspicious usages of the DNS TXT record type and then analyze real DNS TXT query data obtained from our campus network. We divide DNS queries sent out from an organization into three types — via-resolver, and indirect and direct outbound queries — and analyze the DNS TXT query data separately. We use a 99-day dataset for via-resolver DNS TXT queries and an 87-day dataset for indirect and direct outbound DNS TXT queries. The results of our analysis show that about 30%, 8% and 19% of DNS TXT queries in via-resolver, indirect and direct outbound queries, respectively, could be identified as suspicious DNS traffic. Based on our analysis, we also consider a comprehensive botnet detection system and have designed a prototype system.
Relation (URI): http://search.ieice.org/
Type: article
URI: http://hdl.handle.net/2115/71053
Appears in Collections:情報基盤センター (Information Initiative Center) > 雑誌発表論文等 (Peer-reviewed Journal Articles, etc)

Submitter: 飯田 勝吉

 

Feedback - Hokkaido University