Similarity Search over DNS Query Streams for Email Worm Detection

10 years 3 months ago
Similarity Search over DNS Query Streams for Email Worm Detection
Email worms continue to be a persistent problem, indicating that current approaches against this class of selfpropagating malicious code yield rather meagre results. Additionally, these approaches are intrinsically incapable of reducing the high amount of the unwanted email traffic on the Internet because they are deployed in the network of the potential victims. In this work we present a method to detect email worms soon after they appear at the local name server, which is topologically near the infected machines, by analysing at flow level the Domain Name System (DNS) traffic of user machines. Our method uses exact similarity search over time series produced by DNS query streams that user machines generate, and cluster analysis. To evaluate our method, we have constructed and used a DNS query dataset that consists of 71 recent email worms1 , and demonstrate that our method is remarkably effective in detecting email worm activity in the long run. As a secondary result, our work hi...
Nikolaos Chatzis, Nevil Brownlee
Added 18 May 2010
Updated 18 May 2010
Type Conference
Year 2009
Where AINA
Authors Nikolaos Chatzis, Nevil Brownlee
Comments (0)