HUSCAP logo Hokkaido Univ. logo

Hokkaido University Collection of Scholarly and Academic Papers >
Information Initiative Center >
Peer-reviewed Journal Articles, etc >

Policy-based Detection and Blocking System against Abnormal Applications by Analyzing DNS Traffic

Files in This Item:
m10531-ichise final.pdf680.91 kBPDFView/Open
Please use this identifier to cite or link to this item:

Title: Policy-based Detection and Blocking System against Abnormal Applications by Analyzing DNS Traffic
Authors: Ichise, Hikaru Browse this author
Jin, Yong Browse this author →KAKEN DB
Iida, Katsuyoshi Browse this author →KAKEN DB
Keywords: Computers
Telecommunication traffic
Electronic mail
Information and communication technology
abnormal application traffic
direct outbound communication
Issue Date: 16-Oct-2023
Publisher: IEEE
Journal Title: Conference Proceedings: 2023 22nd International Symposium on Communications and Information Technologies (ISCIT)
Start Page: 1
End Page: 6
Publisher DOI: 10.1109/ISCIT57293.2023.10376042
Abstract: Bot-infected computers, which are compounded by botnet communication, conduct botnet-based cyber attacks using various application protocols. When using legitimate applications, a computer mostly performs domain name resolutions via the DNS full-service resolver of the organization network in advance for further communication with the application servers. During the domain name resolution, a DNS full-service resolver at least obtains the DNS NS (Name Server) records, the corresponding glue A records (IP address of the Name Server), and the application specific records, such as MX (Mail Exchange) record in case of mail transmission using Simple Mail Transfer Protocol (SMTP) of the target domain name. On the other hand, bot-infected computers with abnormal applications directly communicate with the application servers without obtaining these DNS records so that direct outbound application traffic will be generated. In this paper, we focus on this kind of direct outbound application traffic and propose a policy-based detection and blocking system against abnormal applications by analyzing DNS traffic. Specifically, the direct outbound application traffic without corresponding domain name resolutions will be detected and blocked as abnormal network traffic from bot-infected computers. We implemented a prototype system and conducted the feature evaluation on the SMTP protocol. The results confirmed that the proposed system worked correctly as designed.
Description: 2023 22nd International Symposium on Communications and Information Technologies (ISCIT), 16-18 Oct, 2023. Aerial Function Centre, Sydney, Australia.
Conference Name: 2023 22nd International Symposium on Communications and Information Technologies (ISCIT)
Conference Sequence: 22
Conference Place: Sydney
Rights: ©2023 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Type: proceedings (author version)
Appears in Collections:情報基盤センター (Information Initiative Center) > 雑誌発表論文等 (Peer-reviewed Journal Articles, etc)

Submitter: 飯田 勝吉

Export metadata:

OAI-PMH ( junii2 , jpcoar_1.0 )

MathJax is now OFF:


 - Hokkaido University