Detection of Host Search Activity in PTR Resource Record Based DNS Query Packet Traffic
We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2009. The obtained results are: (1) We observed fourteen host search (HS) activities in which we can observe rapid decreases in the unique source IP address based entropy of the inbound PTR RR based the DNS query packet traffic and significant increases in the unique DNS query keyword based one. (2) We found the consecutive and random IP address based queries in the PTR RR based DNS query request packet traffic through the days of January 8th and 21st, 2009, respectively. Also (3), we calculated Euclidean distances between the observed IP address and the last observed IP address as the DNS query keywords and we detected two kinds of HS activities by employing both threshold ranges of 1.0-2.0 and 150.2-210.4, respectively. Therefore, these results show that we can detect the HS activity by calculating the Euclidean distances between the currently- and the last-observed IP addresses in the inbound PTR RR based DNS query request packet traffic.
DNS based detection host search host name harvesting attack anomaly detection bots
Yasuo Musashi Florent Hequet Dennis Arturo Lude(n)a Roma(n)a Shinichiro Kubota Kenichi Sugitani
Center for Multimedia and Information TechnologiesKumamoto University 2-39-1 Kurokami,Kumamoto,JAPAN raduate School of Science and TechnologyKumamoto University2-39-1 Kurokami,Kumamoto,JAPAN,860-855 Center for Multimedia and Information Technologies Kumamoto University 2-39-1 Kurokami,Kumamoto,JAPA
国际会议
2010 IEEE信息与自动化国际会议(ICIA 2010)
哈尔滨
英文
1-5
2010-06-20(万方平台首次上网日期,不代表论文的发表时间)