| Title: | Policy-based Detection and Blocking System against Abnormal Applications by Analyzing DNS Traffic |
| Authors: | Ichise, Hikaru Browse this author |
| Jin, Yong Browse this author →KAKEN DB |
| Iida, Katsuyoshi Browse this author →KAKEN DB |
| Keywords: | Computers |
| Protocols |
| Prototypes |
| Telecommunication traffic |
| Organizations |
| Electronic mail |
| Information and communication technology |
| Botnet |
| abnormal application traffic |
| DNS |
| RPZ |
| SMTP |
| SIP |
| SDN |
| direct outbound communication |
| Issue Date: | 16-Oct-2023 |
| Publisher: | IEEE |
| Journal Title: | Conference Proceedings: 2023 22nd International Symposium on Communications and Information Technologies (ISCIT) |
| Start Page: | 1 |
| End Page: | 6 |
| Publisher DOI: | 10.1109/ISCIT57293.2023.10376042 |
| Abstract: | Bot-infected computers, which are compounded by botnet communication, conduct botnet-based cyber attacks using various application protocols. When using legitimate applications, a computer mostly performs domain name resolutions via the DNS full-service resolver of the organization network in advance for further communication with the application servers. During the domain name resolution, a DNS full-service resolver at least obtains the DNS NS (Name Server) records, the corresponding glue A records (IP address of the Name Server), and the application specific records, such as MX (Mail Exchange) record in case of mail transmission using Simple Mail Transfer Protocol (SMTP) of the target domain name. On the other hand, bot-infected computers with abnormal applications directly communicate with the application servers without obtaining these DNS records so that direct outbound application traffic will be generated. In this paper, we focus on this kind of direct outbound application traffic and propose a policy-based detection and blocking system against abnormal applications by analyzing DNS traffic. Specifically, the direct outbound application traffic without corresponding domain name resolutions will be detected and blocked as abnormal network traffic from bot-infected computers. We implemented a prototype system and conducted the feature evaluation on the SMTP protocol. The results confirmed that the proposed system worked correctly as designed. |
| Description: | 2023 22nd International Symposium on Communications and Information Technologies (ISCIT), 16-18 Oct, 2023. Aerial Function Centre, Sydney, Australia. |
| Conference Name: | 2023 22nd International Symposium on Communications and Information Technologies (ISCIT) |
| Conference Sequence: | 22 |
| Conference Place: | Sydney |
| Rights: | ©2023 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. |
| Type: | proceedings (author version) |
| URI: | http://hdl.handle.net/2115/91123 |
| Appears in Collections: | 情報基盤センター (Information Initiative Center) > 雑誌発表論文等 (Peer-reviewed Journal Articles, etc)
|
