Title :
Email worm detection by wavelet analysis of DNS query streams
Author :
Chatzis, Nikolaos ; Popescu-Zeletin, Radu ; Brownlee, Nevil
Author_Institution :
Fraunhofer Inst. FOKUS, Berlin
fDate :
March 30 2009-April 2 2009
Abstract :
The high prevalence of email worms indicates that current in-network defence mechanisms are incapable of mitigating this Internet threat. Moreover, commonly applied approaches against this class of propagating malicious program do not target reducing unwanted email traffic traversing the Internet. In this paper, we take a step toward better understanding of email worms, and explore their effect on the flow-level characteristics of domain name system (DNS) query streams that user machines generate. We propose a novel method, which uses time series analysis and unsupervised learning, to detect email worms as they appear on local name servers. To evaluate our detection method, we have constructed a DNS query dataset that consists of 71 email worms. We demonstrate that our method is very effective.
Keywords :
Internet; electronic mail; invasive software; query processing; time series; unsupervised learning; DNS query streams; Internet threat; domain name system; email worm detection; malicious program; time series analysis; unsupervised learning; unwanted email traffic; wavelet analysis; Character generation; Computer worms; Domain Name System; Humans; Internet; Telecommunication traffic; Time series analysis; Unsupervised learning; Wavelet analysis; Web server;
Conference_Titel :
Computational Intelligence in Cyber Security, 2009. CICS '09. IEEE Symposium on
Conference_Location :
Nashville, TN
Print_ISBN :
978-1-4244-2769-7
DOI :
10.1109/CICYBS.2009.4925090
