| Presentation | 2009-03-05 Evaluation of Black Domain List by Using DNS Query Graph Keisuke ISHIBASHI, Tsuyoshi TOYONO, Kazumichi SATO, Makoto IWAMURA, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | Botnet hosts, which can be controlled by malicious operators for executing DDoS attacks or spamming, have been one of the major concerns of Internet security. One of the promising approaches for detecting those hosts is monitoring DNS traffic and detecting botnet-infected hosts by using black domain names. However, black domain name lists obtained through these methods may have a problem in their accuracy in that they do not cover all domain names caused by botnets. In addition, they may contain domain names that are not involved with botnet activities. In this paper, we propose a method to improve the accuracy of a black domain name list by using a DNS query graph, which composed with nodes of hosts and domains edeges representing query-relationship. Intuitively, domain names resolved by hosts that resolve many black domain names are also expected to be black, and domain names resolved by many hosts that do not resolve any black domain names are expected to be white. Thus, the DNS query graph indicates to us which domain names might be black or white. We also propose approximating a graph kernel value with random walk sampling because calculating a graph kernel requires operation of adjacency matrices of graphs, which may be difficult for huge graphs. We experimentally applied the proposed method using a black domain name list and DNS traffic. The result shows that most of the white domains mislisted as black can be removed. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | DNS / Botnet / Graph Kernel |
| Paper # | SITE2008-47,IA2008-70 |
| Date of Issue |
| Conference Information | |
| Committee | IA |
|---|---|
| Conference Date | 2009/2/26(1days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | |
| Chair | |
| Vice Chair | |
| Secretary | |
| Assistant | |
| Paper Information | |
| Registration To | Internet Architecture(IA) |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | Evaluation of Black Domain List by Using DNS Query Graph |
| Sub Title (in English) | |
| Keyword(1) | DNS |
| Keyword(2) | Botnet |
| Keyword(3) | Graph Kernel |
| 1st Author's Name | Keisuke ISHIBASHI |
| 1st Author's Affiliation | NTT Information Sharing Platform Laboratories, NTT Corporation() |
| 2nd Author's Name | Tsuyoshi TOYONO |
| 2nd Author's Affiliation | NTT Information Sharing Platform Laboratories, NTT Corporation |
| 3rd Author's Name | Kazumichi SATO |
| 3rd Author's Affiliation | NTT Information Sharing Platform Laboratories, NTT Corporation |
| 4th Author's Name | Makoto IWAMURA |
| 4th Author's Affiliation | NTT Information Sharing Platform Laboratories, NTT Corporation |
| Date | 2009-03-05 |
| Paper # | SITE2008-47,IA2008-70 |
| Volume (vol) | vol.108 |
| Number (no) | 460 |
| Page | pp.pp.- |
| #Pages | 6 |
| Date of Issue | |