Email Worm Detection by Flow Level Data Mining DNS Query Streams
نویسندگان
چکیده
Email worms remain a major network security concern, as they increasingly attack systems with intensity using more advanced social engineering tricks. Their extremely high prevalence clearly indicates that current network defence mechanisms are intrinsically incapable of mitigating email worms, and thereby reducing unwanted email traffic traversing the Internet. In this paper we study the effect email worms have on the flow-level characteristics of DNS query streams a user machine generates. We propose a method based on unsupervised learning and time series analysis to early detect email worms on the local name server, which is located topologically near the infected machine. We evaluate our method against an email worm DNS query stream dataset that consists of 68 email worm instances and show that it exhibits remarkable accuracy in detecting various email worm instances1.
منابع مشابه
Employing machine learning algorithms to detect unknown scanning and email worms
We present a worm detection system that leverages the reliability of IP-Flow and the effectiveness of learning machines. Typically, a host infected by a scanning or an email worm initiates a significant amount of traffic that does not rely on DNS to translate names into numeric IP addresses. Based on this fact, we capture and classify NetFlow records to extract feature patterns for each PC on t...
متن کاملDNS Usage Mining Based on Clustering Analysis of Co-occurrence Patterns: Methods and Applications
The principal goal of DNS usage mining is the discovery and analysis of patterns in the query behavior of DNS users. In this paper, we develop a unified framework for DNS usage mining based on Clustering analysis of cooccurrence data derived from DNS server query data. Through transforming the raw query data into co-occurrence matrix, some clustering approaches and probabilistic inferences can ...
متن کاملDetecting Botnet Activities Based on Abnormal DNS traffic
The botnet is considered as a critical issue of the Internet due to its fast growing mechanism and affect. Recently, Botnets have utilized the DNS and query DNS server just like any legitimate hosts. In this case, it is difficult to distinguish between the legitimate DNS traffic and illegitimate DNS traffic. It is important to build a suitable solution for botnet detection in the DNS traffic an...
متن کاملMining Multidimensional Sequential Patterns over Data Streams
Sequential pattern mining is an active field in the domain of knowledge discovery and has been widely studied for over a decade by data mining researchers. More and more, with the constant progress in hardware and software technologies, real-world applications like network monitoring systems or sensor grids generate huge amount of streaming data. This new data model, seen as a potentially infin...
متن کاملA DNS-based Countermeasure Technology for Bot Worm-infected PC terminals in the Campus Network
The DNS query traffic in a campus top domain DNS server were statistically investigated in order to find out the security incidents, especially bot worm (BW)-infected PCs on the campus network. The interesting results are obtained: (1) The total traffic of the DNS query access from the outside of the campus network frequently correlates with that of the number of their unique source IP addresse...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2008