Title :
Similarity Search over DNS Query Streams for Email Worm Detection
Author :
Chatzis, Nikolaos ; Brownlee, Nevil
Author_Institution :
Fraunhofer Inst. Fokus, Berlin
Abstract :
Email worms and the high amount of unsolicited email traffic on the Internet continue to be persistent operational security issues. In this work, we present a method to detect email worms soon after they appear at the local name server, which is topologically near the infected machines. Our method analyses at flow level the communication patterns between user machines and the local name server. With respect to this, it uses exact similarity search over time series produced by the Domain Name System (DNS) query streams of user machines, and unsupervised learning. To evaluate our method, we have constructed and used a DNS query dataset that consists of 71 recent email worms. We demonstrate that our method is remarkably effective in the long run, and that time series similarity search can be a useful tool for intrusion detection, one that has not yet been adequately explored.
Keywords :
Internet; invasive software; query processing; telecommunication security; telecommunication traffic; unsolicited e-mail; unsupervised learning; DNS query stream; Internet; domain name system; email worm detection; local name server; operational security; similarity search; unsolicited email traffic; unsupervised learning; user machine; Computer worms; Domain Name System; Electronic mail; IP networks; Internet; Intrusion detection; Telecommunication traffic; Unsolicited electronic mail; Unsupervised learning; Web server;
Conference_Titel :
Advanced Information Networking and Applications, 2009. AINA '09. International Conference on
Conference_Location :
Bradford
Print_ISBN :
978-1-4244-4000-9
Electronic_ISBN :
1550-445X
DOI :
10.1109/AINA.2009.132
