TY - GEN
T1 - The Rapid Extraction of Suspicious Traffic from Passive DNS
AU - Wang, Wenbo
AU - Zang, Tianning
AU - Lan, Yuqing
N1 - Publisher Copyright:
Copyright © 2018 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved.
PY - 2018
Y1 - 2018
N2 - The network traffic is filled with numerous malicious requests, most of which is generated by amplified attacks, random subdomain name attacks and botnets. Through using DNS traffic for malicious behavior analysis, we often need to test each domain alone. Besides, the amount of data is very large and simple filtering cannot quickly reduce the need to detect the number of domain names. As a result, it takes a lot of time to calculate on the premise of limited resources. Therefore, this paper introduces a extraction scheme for DNS traffic. We designed a simple and efficient method for extracting three kinds of attack traffic with the largest proportion of traffic. Besides, the method of statistics and classification was used to deal with all the traffic. We implemented a prototype system and evaluated it on real-world DNS traffic. In the meanwhile, as the recall rate reached almost 100%, the number of secondary domain names to be detected was reduced to 8% of the original quantity, and the DNS record to be detected was reduced to 1% of the original number.
AB - The network traffic is filled with numerous malicious requests, most of which is generated by amplified attacks, random subdomain name attacks and botnets. Through using DNS traffic for malicious behavior analysis, we often need to test each domain alone. Besides, the amount of data is very large and simple filtering cannot quickly reduce the need to detect the number of domain names. As a result, it takes a lot of time to calculate on the premise of limited resources. Therefore, this paper introduces a extraction scheme for DNS traffic. We designed a simple and efficient method for extracting three kinds of attack traffic with the largest proportion of traffic. Besides, the method of statistics and classification was used to deal with all the traffic. We implemented a prototype system and evaluated it on real-world DNS traffic. In the meanwhile, as the recall rate reached almost 100%, the number of secondary domain names to be detected was reduced to 8% of the original quantity, and the DNS record to be detected was reduced to 1% of the original number.
KW - Amplification Attack
KW - DNS
KW - Domain Generation Algorithm
KW - Malicious Domain Name
KW - Random Subdomain Attack
UR - https://www.scopus.com/pages/publications/85052012721
U2 - 10.5220/0006543401900198
DO - 10.5220/0006543401900198
M3 - 会议稿件
AN - SCOPUS:85052012721
T3 - ICISSP 2018 - Proceedings of the 4th International Conference on Information Systems Security and Privacy
SP - 190
EP - 198
BT - ICISSP 2018 - Proceedings of the 4th International Conference on Information Systems Security and Privacy
A2 - Mori, Paolo
A2 - Furnell, Steven
A2 - Camp, Olivier
PB - SciTePress
T2 - 4th International Conference on Information Systems Security and Privacy, ICISSP 2018
Y2 - 22 January 2018 through 24 January 2018
ER -