direkt zum Inhalt springen

direkt zum Hauptnavigationsmenü

Sie sind hier

TU Berlin

Inhalt des Dokuments

All publications

Similarity Search over DNS Query Streams for Email Worm Detection
Citation key CB-SSDQSEWD-09
Author Chatzis, Nikolaos and Brownlee, Nevil
Title of Book Proceedings of the 23rd International Conference on Advanced Information Networking and Applications (AINA '09)
Pages 588–595
Year 2009
DOI http://dx.doi.org/10.1109/AINA.2009.132
Address New York, NY, USA
Publisher IEEE
Abstract Email worms and the high amount of unsolicited email traffic on the Internet continue to be persistent operational security issues. In this work, we present a method to detect email worms soon after they appear at the local name server, which is topologically near the infected machines. Our method analyses at flow level the communication patterns between user machines and the local name server. With respect to this, it uses exact similarity search over time series produced by the Domain Name System (DNS) query streams of user machines, and unsupervised learning. To evaluate our method, we have constructed and used a DNS query dataset that consists of 71 recent email worms. We demonstrate that our method is remarkably effective in the long run, and that time series similarity search can be a useful tool for intrusion detection, one that has not yet been adequately explored.
Download Bibtex entry

Zusatzinformationen / Extras

Quick Access:

Schnellnavigation zur Seite über Nummerneingabe