Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

ICHISE, Hikaru; JIN, Yong; IIDA, Katsuyoshi

doi:10.1587/transcom.2017ITP0009


Hokkaido University \| Library \| HUSCAP	Advanced Search		言語

	Home
	About HUSCAP
	Open Access Policy

	Browse by Author

Browse
	Communities & Collections

	Scholarly Journals
	Theses
	Doctoral Dissertations Listed by Graduate Schools
	Conference Procs.
	Events

	HUSCAP Senior (in Japanese)

	Societies

	Downloads (country)

For university staff
	How to post your papers to HUSCAP
	Publication of theses
	Helpline about theses publication

Open Archives Compliant

You can search our collection also at:
	Google
	Google Scholar
	CiNii
	IRDB
	OAIster
	NDLTD

Hokkaido University Collection of Scholarly and Academic Papers >
Information Initiative Center >
Peer-reviewed Journal Articles, etc >

Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

Files in This Item:

e101-b_1_70.pdf

1.65 MB

PDF

View/Open

Please use this identifier to cite or link to this item:http://hdl.handle.net/2115/71053

Title:	Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection
Authors:	ICHISE, Hikaru Browse this author
	JIN, Yong Browse this author
	IIDA, Katsuyoshi Browse this author →KAKEN DB
Keywords:	botnet communication
	DNS TXT record
	via-resolver DNS query
	direct outbound DNS query
	indirect outbound DNS query
Issue Date:	Jan-2018
Publisher:	The Institute of Electronics, Information and Communication Engineers
Journal Title:	IEICE Transactions on Communications
Volume:	E101.B
Issue:	1
Start Page:	70
End Page:	79
Publisher DOI:	10.1587/transcom.2017ITP0009
Abstract:	There have been several recent reports that botnet communication between bot-infected computers and Command and Control servers (C&C servers) using the Domain Name System (DNS) protocol has been used by many cyber attackers. In particular, botnet communication based on the DNS TXT record type has been observed in several kinds of botnet attack. Unfortunately, the DNS TXT record type has many forms of legitimate usage, such as hostname description. In this paper, in order to detect and block out botnet communication based on the DNS TXT record type, we first differentiate between legitimate and suspicious usages of the DNS TXT record type and then analyze real DNS TXT query data obtained from our campus network. We divide DNS queries sent out from an organization into three types — via-resolver, and indirect and direct outbound queries — and analyze the DNS TXT query data separately. We use a 99-day dataset for via-resolver DNS TXT queries and an 87-day dataset for indirect and direct outbound DNS TXT queries. The results of our analysis show that about 30%, 8% and 19% of DNS TXT queries in via-resolver, indirect and direct outbound queries, respectively, could be identified as suspicious DNS traffic. Based on our analysis, we also consider a comprehensive botnet detection system and have designed a prototype system.
Relation:	http://search.ieice.org/
Type:	article
URI:	http://hdl.handle.net/2115/71053
Appears in Collections:	情報基盤センター (Information Initiative Center) > 雑誌発表論文等 (Peer-reviewed Journal Articles, etc)

Submitter: 飯田勝吉

OAI-PMH ( junii2 , jpcoar_1.0 )

- Hokkaido University