Hokkaido University Collection of Scholarly and Academic Papers >
Information Initiative Center >
Peer-reviewed Journal Articles, etc >
Detection and Blocking of Anomaly DNS Traffic by Analyzing Achieved NS Record History
Title: | Detection and Blocking of Anomaly DNS Traffic by Analyzing Achieved NS Record History |
Authors: | Ichise, Hikaru Browse this author | Jin, Yong Browse this author →KAKEN DB | Iida, Katsuyoshi Browse this author →KAKEN DB | Takai, Yoshiaki Browse this author →KAKEN DB |
Issue Date: | 2018 |
Publisher: | Asia-Pacific Signal and Information Processing Association |
Citation: | Proceedings, APSIPA Annual Summit and Conference 2018 |
Start Page: | 1586 |
End Page: | 1590 |
Abstract: | DNS (Domain Name System)-based name resolutionservice is one of the most fundamental Internet services for theInternet users and application service providers. In normal DNSbased domain name resolution, the corresponding NS recordsare required in prior to sending DNS query to the correspondingauthoritative DNS servers. However, in recent years, DNS basedbotnet communication has been observed in which botnet relatednetwork traffic is transferred via DNS packets. In particular,it is observed in some malware that DNS queries are sent toC&C servers using IP address directly without obtaining thecorresponding NS records. In this paper, we propose a novelmechanism to detect and block anomaly DNS traffic by analyzingthe achieved NS record history in an organization network. In theproposed mechanism, all DNS traffic of an organization netwokwill be captured and analyzed in order to extract the legitimateNS (Name Server) records and the corresponding glue A records(the IP address(es) of a name server) which will be stored in awhite list database. Then all the outgoing DNS query packetswill be checked and those destined to the IP addresses thatnot included in the white list will be blocked as anomaly DNStraffic. We have implemented a prototype system and evaluatedthe functionalities in an SDN-based experimental network. Theresults show that the prototype system works as expected and theproposed mechanism is capable of detecting and blocking somespecific types of suspicious DNS traffic. |
Description: | APSIPA Annual Summit and Conference 2018. Asia-Pacific Signal and Information Processing Association (APSIPA). 12-15 November 2018. Held at the Hawai’i Convention Center in Honolulu, Hawaii, USA |
Conference Name: | APSIPA Annual Summit and Conference 2018 |
Conference Place: | Honolulu |
Rights: | All the papers in APSIPA ASC 2018 are copyrighted by APSIPA. |
Publisher URI: | http://www.apsipa.org/proceedings/2018/pdfs/0001586.pdf |
Type: | proceedings |
URI: | http://hdl.handle.net/2115/87037 |
Appears in Collections: | 情報基盤センター (Information Initiative Center) > 雑誌発表論文等 (Peer-reviewed Journal Articles, etc)
|
Submitter: 飯田 勝吉
|