Hokkaido University Collection of Scholarly and Academic Papers >
Information Initiative Center >
Peer-reviewed Journal Articles, etc >
NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking
Title: | NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking |
Authors: | Ichise, Hikaru Browse this author | Jin, Yong Browse this author →KAKEN DB | Iida, Katsuyoshi Browse this author →KAKEN DB | Takai, Yoshiaki Browse this author →KAKEN DB |
Keywords: | Botnet communication | DNS | NS record | glue A record | direct outbound query | NS history database |
Issue Date: | 15-Feb-2020 |
Publisher: | Information Processing Society of Japan |
Journal Title: | Journal of Information Processing |
Volume: | 28 |
Start Page: | 112 |
End Page: | 122 |
Publisher DOI: | 10.2197/ipsjjip.28.112 |
Abstract: | DNS (Domain Name System) based name resolution is one of the most fundamental Internet services for both of the Internet users and Internet service providers. In normal DNS based name resolution process, the corresponding NS (Name Server) records are required prior to sending a DNS query to the authoritative DNS servers. However, in recent years, DNS based botnet communication has been observed in which botnet related network traffic is transferred via DNS queries and responses. In particular, it has been observed that, in some types of malware, DNS queries will be sent to the C&C servers using an IP address directly without obtaining the corresponding NS records in advance. In this paper, we propose a novel mechanism to detect and block abnormal DNS traffic by analyzing the achieved NS record history in intranet. In the proposed mechanism, all DNS traffic of an intranet will be captured and analyzed in order to extract the legitimate NS records and the corresponding glue A records (the IP address(es) of a name server) which will be stored in a white list database. Then all the outgoing DNS queries will be checked and those destined to the IP addresses that are not included in the white list will be blocked as abnormal DNS traffic. We have implemented a prototype system and evaluated the functionality in an SDN-based experimental network. The results showed that the prototype system worked well as we expected and accordingly we consider that the proposed mechanism is capable of detecting and blocking some specific types of abnormal DNS-based botnet communication. |
Rights: | Notice for the use of this material The copyright of this material is retained by the Information Processing Society of Japan (IPSJ). This material is published on this web page with the agreement of the authors and the IPSJ. Please be complied with Copyright Law of Japan and the Code of Ethics of IPSJ if any users wish to reproduce, make derivative work, distribute or make available to the public any part or whole thereof. All Rights Reserved, Copyright (C) Information Processing Society of Japan. |
Type: | article |
URI: | http://hdl.handle.net/2115/86944 |
Appears in Collections: | 情報基盤センター (Information Initiative Center) > 雑誌発表論文等 (Peer-reviewed Journal Articles, etc)
|
Submitter: 飯田 勝吉
|