Detection and Blocking of DGA-based Bot Infected Computers by Monitoring NXDOMAIN Responses

Iuchi, Yuki; Jin, Yong; Ichise, Hikaru; Iida, Katsuyoshi; Takai, Yoshiaki

doi:10.1109/CSCloud-EdgeCom49738.2020.00023


Hokkaido University \| Library \| HUSCAP	Advanced Search		言語

	Home
	About HUSCAP
	Open Access Policy

	Browse by Author

Browse
	Communities & Collections

	Scholarly Journals
	Theses
	Doctoral Dissertations Listed by Graduate Schools
	Conference Procs.
	Events

	HUSCAP Senior (in Japanese)

	Societies

	Downloads (country)

For university staff
	How to post your papers to HUSCAP
	Publication of theses
	Helpline about theses publication

Open Archives Compliant

You can search our collection also at:
	Google
	Google Scholar
	CiNii
	IRDB
	OAIster
	NDLTD

Hokkaido University Collection of Scholarly and Academic Papers >
Information Initiative Center >
Peer-reviewed Journal Articles, etc >

Detection and Blocking of DGA-based Bot Infected Computers by Monitoring NXDOMAIN Responses

Files in This Item:

IEEE_CSCloud_2020_paper_77.pdf

739.2 kB

PDF

View/Open

Please use this identifier to cite or link to this item:http://hdl.handle.net/2115/87495

Title:	Detection and Blocking of DGA-based Bot Infected Computers by Monitoring NXDOMAIN Responses
Authors:	Iuchi, Yuki Browse this author
	Jin, Yong Browse this author →KAKEN DB
	Ichise, Hikaru Browse this author
	Iida, Katsuyoshi Browse this author →KAKEN DB
	Takai, Yoshiaki Browse this author →KAKEN DB
Keywords:	Bot
	DNS
	DGA
	NXDOMAIN
	SDN
Issue Date:	19-Aug-2020
Publisher:	IEEE
Citation:	Cyber Security and Cloud Computing (CSCloud)/2020 6th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), 2020 7th IEEE International Conference
Start Page:	82
End Page:	87
Publisher DOI:	10.1109/CSCloud-EdgeCom49738.2020.00023
Abstract:	Cyberattacks by botnets keep on increasing. In this research, we aim to detect and block Domain Generation Algorithm (DGA)-based bot-infected computers by focusing on the characteristics of domain name resolution for searching the Command & Control (C&C) servers. The attackers register only few of the DGA-based domain names for the C&C servers and make the bot-infected computers search them using DNS domain name resolution for the further instructions. This makes the DNS domain name resolution in C&C server searching process inevitably causing NXDOMAIN responses for queries about nonexistence domain names. In this paper, we designed and implemented a detection and blocking system against DGA-based bot-infected computers searching for the C&C servers by analyzing the DNS traffic resulted with NXDOMAIN responses. According to the feature evaluation results, we confirmed that the prototype system was effective for multiple types of DGA-based bots thus the approach could be applicable to detect and block the malicious DNS traffic from the bot-infected computers at the early stage.
Description:	2020 7th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2020 6th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom).1-3 Aug. 2020
Conference Name:	2020 7th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2020 6th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)
Rights:	© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Type:	proceedings (author version)
URI:	http://hdl.handle.net/2115/87495
Appears in Collections:	情報基盤センター (Information Initiative Center) > 雑誌発表論文等 (Peer-reviewed Journal Articles, etc)

Submitter: 飯田勝吉

OAI-PMH ( junii2 , jpcoar_1.0 )

- Hokkaido University