NXDOMAIN応答に着目したDGAを用いるボットの検知・遮断システムの実装と評価

井内 裕貴; 金 勇; 一瀬 光; 飯田 勝吉; 高井 昌彰

Presentation	2020-03-02 Implementation and Evaluation of Detection and Blocking System against DGA-based Bot by Focusing on NXDOMAIN Responses Yuki Iuchi, Yong Jin, Hikaru Ichise, Katsuyoshi Iida, Yoshiaki Takai,
PDF Download Page	PDF download Page Link
Abstract(in Japanese)	(See Japanese page)
Abstract(in English)	Recently, security attacks caused by a bot have been widely spreading. In this research, we aim to detect and block Domain Generation Algorithms (DGAs) based bots by focusing on special characteristics of DNS domain name resolutions for Command & Control (C&C) servers. The DGAs generate domain names using pseudo random functions with the seed of the current time of day, the trend keywords in SNS, etc. The attackers register a part of the generated domain names on the authoritative DNS server in order to make the bots find out the C&C server. The generated domain names are difficult to be estimated by other individuals than the attackers therefore the network administrators can hardly identify malicious DNS domain name resolutions. To deal with this issue, we focus on the characteristic of DGAs, namely NXDOMAIN responses were frequently received because many generated domain names have not been registered on the authoritative DNS server. In this paper, we design and implement a system to detect and block the malicious DNS domain name resolutions by analyzing the NXDOMAIN responses, which are received when the bots try to find out the C&C servers. By using the prototype system, we also evaluate its effectiveness with multiple DGAs.
Keyword(in Japanese)	(See Japanese page)
Keyword(in English)	Bot / Botnet / DNS / DGA / NXDOMAIN / SDN
Paper #	SITE2019-89,IA2019-67
Date of Issue	2020-02-24 (SITE, IA)

Conference Information
Committee	IA / SITE / IPSJ-IOT
Conference Date	2020/3/2(2days)
Place (in Japanese)	(See Japanese page)
Place (in English)	Nagoya University
Topics (in Japanese)	(See Japanese page)
Topics (in English)	Internet and Information Ethics Education, etc.
Chair	Hiroyuki Osaki(Kwansei Gakuin Univ.) / Tetsuya Morizumi(Kanagawa Univ.)
Vice Chair	Rei Atarashi(IIJ) / Toru Kondo(Hiroshima Univ.) / Hiroshi Yamamoto(Ritsumeikan Univ.) / Masaru Ogawa(Kobe Gakuin Univ.) / Takushi Otani(Kibi International Univ.)
Secretary	Rei Atarashi(Kwansei Gakuin Univ.) / Toru Kondo(KDDI Research) / Hiroshi Yamamoto(NEC) / Masaru Ogawa(Toyo Eiwa Univ.) / Takushi Otani(KDDI Research)
Assistant	Kenji Ohira(Osaka Univ.) / Daiki Nobayashi(Kyushu Inst. of Tech.) / Ryohei Banno(Tokyo Inst. of Tech.) / Nobuyuki Yoshinaga(Yamaguchi Pref Univ.) / Daisuke Suzuki(Hokuriku Univ.)

Paper Information
Registration To	Technical Committee on Internet Architecture / Technical Committee on Social Implications of Technology and Information Ethics / Special Interest Group on Internet and Operation Technology
Language	JPN
Title (in Japanese)	(See Japanese page)
Sub Title (in Japanese)	(See Japanese page)
Title (in English)	Implementation and Evaluation of Detection and Blocking System against DGA-based Bot by Focusing on NXDOMAIN Responses
Sub Title (in English)
Keyword(1)	Bot
Keyword(2)	Botnet
Keyword(3)	DNS
Keyword(4)	DGA
Keyword(5)	NXDOMAIN
Keyword(6)	SDN
1st Author's Name	Yuki Iuchi
1st Author's Affiliation	Hokkaido University(Hokkaido Univ.)
2nd Author's Name	Yong Jin
2nd Author's Affiliation	Tokyo Institute of Technology(Tokyo Tech)
3rd Author's Name	Hikaru Ichise
3rd Author's Affiliation	Tokyo Institute of Technology(Tokyo Tech)
4th Author's Name	Katsuyoshi Iida
4th Author's Affiliation	Hokkaido University(Hokkaido Univ.)
5th Author's Name	Yoshiaki Takai
5th Author's Affiliation	Hokkaido University(Hokkaido Univ.)
Date	2020-03-02
Paper #	SITE2019-89,IA2019-67
Volume (vol)	vol.119
Number (no)	SITE-434,IA-435
Page	pp.pp.7-12(SITE), pp.7-12(IA),
#Pages	6
Date of Issue	2020-02-24 (SITE, IA)