Vol. 33 No. 3 Aug benign.com IP 1 benign.net IP 2 unknown.com IP 3 malicious.com 1 DNS : (malicious), (benign), (unknown) (Probabilistic Thre

Similar documents
DNS: Domain Name

8 P2P P2P (Peer-to-Peer) P2P P2P As Internet access line bandwidth has increased, peer-to-peer applications have been increasing and have great impact

1 PCAP PCAP PCAP IP K Wv(t + 1) = Wv(t) + (v; t)a(t)(d(t)!wv(t)) 16: standard find query 6:random ID choice NA ms-sql 1782 ssh t

IPSJ SIG Technical Report * Wi-Fi Survey of the Internet connectivity using geolocation of smartphones Yoshiaki Kitaguchi * Kenichi Nagami and Yutaka

Run-Based Trieから構成される 決定木の枝刈り法

29 jjencode JavaScript

Input image Initialize variables Loop for period of oscillation Update height map Make shade image Change property of image Output image Change time L

27 YouTube YouTube UGC User Generated Content CDN Content Delivery Networks LRU Least Recently Used UGC YouTube CGM Consumer Generated Media CGM CGM U

IPSJ SIG Technical Report Vol.2010-GN-74 No /1/ , 3 Disaster Training Supporting System Based on Electronic Triage HIROAKI KOJIMA, 1 KU

TCP/IP Internet Week 2002 [2002/12/17] Japan Registry Service Co., Ltd. No.3 Internet Week 2002 [2002/12/17] Japan Registry Service Co., Ltd. No.4 2

& Vol.5 No (Oct. 2015) TV 1,2,a) , Augmented TV TV AR Augmented Reality 3DCG TV Estimation of TV Screen Position and Ro

Dual Stack Virtual Network Dual Stack Network RS DC Real Network 一般端末 GN NTM 端末 C NTM 端末 B IPv4 Private Network IPv4 Global Network NTM 端末 A NTM 端末 B

Web Web Web Web Web IP

IPSJ SIG Technical Report Vol.2014-DBS-159 No.6 Vol.2014-IFAT-115 No /8/1 1,a) 1 1 1,, 1. ([1]) ([2], [3]) A B 1 ([4]) 1 Graduate School of Info

1 Fig. 1 Extraction of motion,.,,, 4,,, 3., 1, 2. 2.,. CHLAC,. 2.1,. (256 ).,., CHLAC. CHLAC, HLAC. 2.3 (HLAC ) r,.,. HLAC. N. 2 HLAC Fig. 2

HP cafe HP of A A B of C C Map on N th Floor coupon A cafe coupon B Poster A Poster A Poster B Poster B Case 1 Show HP of each company on a user scree

修士論文

IPSJ SIG Technical Report Pitman-Yor 1 1 Pitman-Yor n-gram A proposal of the melody generation method using hierarchical pitman-yor language model Aki

IRC IRC HTTP P2P HTTP P2P IRC 1993 [1] IRC C&C [2], [3] [2] IRC C&C 16 3 [3] IRC IRC / n-gram 2003 C&C P2P [1] P2P P2P PeerShark [4] [4] IRC P2P HTTP

i

DDoS Distributed Denial of Service Attack [1], [2] [3] [4] 1.2 [5], [6] [7], [8] IRC IRC IRC IRC IRC IRC IRC IRC IRC Dews [9] M

DEIM Forum 2009 C8-4 QA NTT QA QA QA 2 QA Abstract Questions Recomme

[2][3][4][5] 4 ( 1 ) ( 2 ) ( 3 ) ( 4 ) 2. Shiratori [2] Shiratori [3] [4] GP [5] [6] [7] [8][9] Kinect Choi [10] 3. 1 c 2016 Information Processing So

LAN LAN LAN LAN LAN LAN,, i

DTN DTN DTN DTN i

1

untitled

1 : Google Amazon Facebook Akamai Hyper giants Web [1] Web Web Web Magnitude Exploit Kit PHP.net Web Yahoo 600 [2] Web URL Blacklist URL Blacklist URL

CSIS (No.324) {kazuya-o, okuda, 2012 IP (LBM) IPv6 GALMA LBM GALMA GALMA 1 (LBM:Location Based Multicast) LBM IP IP GALMA (Geograp

4.1 % 7.5 %

untitled

IPSJ SIG Technical Report Vol.2011-IOT-12 No /3/ , 6 Construction and Operation of Large Scale Web Contents Distribution Platfo


ict4.key

DNS DNS DDoS [2] Open Resolver Project [3] DNS 53/UDP DNS ,800 DNS Spamhaus [4] DDoS DNS 120 Gbps Tier Gbps [5], [6] DDoS Prolex

Intrusion Detection Method using Online Learning by Kouki Takahata BA Thesis at Future University Hakodate, 2017 Advisor: Ayahiko N

WebRTC P2P Web Proxy P2P Web Proxy WebRTC WebRTC Web, HTTP, WebRTC, P2P i

Mining Social Network of Conference Participants from the Web

1., 1 COOKPAD 2, Web.,,,,,,.,, [1]., 5.,, [2].,,.,.,, 5, [3].,,,.,, [4], 33,.,,.,,.. 2.,, 3.., 4., 5., ,. 1.,,., 2.,. 1,,

1 Table 1: Identification by color of voxel Voxel Mode of expression Nothing Other 1 Orange 2 Blue 3 Yellow 4 SSL Humanoid SSL-Vision 3 3 [, 21] 8 325

25 About what prevent spoofing of misusing a session information

2. Eades 1) Kamada-Kawai 7) Fruchterman 2) 6) ACE 8) HDE 9) Kruskal MDS 13) 11) Kruskal AGI Active Graph Interface 3) Kruskal 5) Kruskal 4) 3. Kruskal

,4) 1 P% P%P=2.5 5%!%! (1) = (2) l l Figure 1 A compilation flow of the proposing sampling based architecture simulation

NAT-f SIP NAT 1 1, 2 1 IP SIP NAT NAT NAT NAT-f NAT-free protocol NAT-f SIP Session Initiation Protocol NAT-f SIP NAT Researches on NAT traversal for

浜松医科大学紀要



Publish/Subscribe KiZUNA P2P 2 Publish/Subscribe KiZUNA 2. KiZUNA 1 Skip Graph BF Skip Graph BF Skip Graph Skip Graph Skip Graph DDLL 2.1 Skip Graph S

DPA,, ShareLog 3) 4) 2.2 Strino Strino STRain-based user Interface with tacticle of elastic Natural ObjectsStrino 1 Strino ) PC Log-Log (2007 6)

IPSJ SIG Technical Report Vol.2009-DBS-149 No /11/ Bow-tie SCC Inter Keyword Navigation based on Degree-constrained Co-Occurrence Graph

2007/8 Vol. J90 D No. 8 Stauffer [7] 2 2 I 1 I 2 2 (I 1(x),I 2(x)) 2 [13] I 2 = CI 1 (C >0) (I 1,I 2) (I 1,I 2) Field Monitoring Server

149 (Newell [5]) Newell [5], [1], [1], [11] Li,Ryu, and Song [2], [11] Li,Ryu, and Song [2], [1] 1) 2) ( ) ( ) 3) T : 2 a : 3 a 1 :

DEIM Forum 2010 A Web Abstract Classification Method for Revie

Internet Week '98 (c) JPNIC, NTTPC, moto kawasaki WP, niana, wwtld Internet Governance Moto JPNIC DOM-WG / NTTPC 9

258 5) GPS 1 GPS 6) GPS DP 7) 8) 10) GPS GPS ) GPS Global Positioning System

Computer Security Symposium October 2013 Android OS kub

(a) 1 (b) 3. Gilbert Pernicka[2] Treibitz Schechner[3] Narasimhan [4] Kim [5] Nayar [6] [7][8][9] 2. X X X [10] [11] L L t L s L = L t + L s

IPSJ SIG Technical Report Vol.2011-EC-19 No /3/ ,.,., Peg-Scope Viewer,,.,,,,. Utilization of Watching Logs for Support of Multi-

インターネットと運用技術シンポジウム 2016 Internet and Operation Technology Symposium 2016 IOTS /12/1 syslog 1,2,a) 3,b) syslog syslog syslog Interop Tokyo Show

Web Web Web Web Web, i

Firefox Firefox Mozilla addons.mozilla.org (AMO) AMO Firefox Mozilla AMO Firefox Firefox Mozilla Firefox Firefox Firefox 年間登録数

1 1 CodeDrummer CodeMusician CodeDrummer Fig. 1 Overview of proposal system c

..,,,, , ( ) 3.,., 3.,., 500, 233.,, 3,,.,, i

TA3-4 31st Fuzzy System Symposium (Chofu, September 2-4, 2015) Interactive Recommendation System LeonardoKen Orihara, 1 Tomonori Hashiyama, 1

DNS DNS 2002/12/19 Internet Week 2002/DNS DAY 2

B HNS 7)8) HNS ( ( ) 7)8) (SOA) HNS HNS 4) HNS ( ) ( ) 1 TV power, channel, volume power true( ON) false( OFF) boolean channel volume int

THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS TECHNICAL REPORT OF IEICE {s-kasihr, wakamiya,

WMN Wi-Fi MBCR i

23 Fig. 2: hwmodulev2 3. Reconfigurable HPC 3.1 hw/sw hw/sw hw/sw FPGA PC FPGA PC FPGA HPC FPGA FPGA hw/sw hw/sw hw- Module FPGA hwmodule hw/sw FPGA h

2. Twitter Twitter 2.1 Twitter Twitter( ) Twitter Twitter ( 1 ) RT ReTweet RT ReTweet RT ( 2 ) URL Twitter Twitter 140 URL URL URL 140 URL URL

3_39.dvi

[2] OCR [3], [4] [5] [6] [4], [7] [8], [9] 1 [10] Fig. 1 Current arrangement and size of ruby. 2 Fig. 2 Typography combined with printing

[2] 2. [3 5] 3D [6 8] Morishima [9] N n 24 24FPS k k = 1, 2,..., N i i = 1, 2,..., n Algorithm 1 N io user-specified number of inbetween omis

IPSJ SIG Technical Report Vol.2009-DPS-141 No.20 Vol.2009-GN-73 No.20 Vol.2009-EIP-46 No /11/27 1. MIERUKEN 1 2 MIERUKEN MIERUKEN MIERUKEN: Spe

THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS TECHNICAL REPORT OF IEICE.

IPSJ SIG Technical Report Vol.2010-CVIM-170 No /1/ Visual Recognition of Wire Harnesses for Automated Wiring Masaki Yoneda, 1 Ta

A Feasibility Study of Direct-Mapping-Type Parallel Processing Method to Solve Linear Equations in Load Flow Calculations Hiroaki Inayoshi, Non-member

P2P Web Proxy P2P Web Proxy P2P P2P Web Proxy P2P Web Proxy Web P2P WebProxy i

Fig. 3 3 Types considered when detecting pattern violations 9)12) 8)9) 2 5 methodx close C Java C Java 3 Java 1 JDT Core 7) ) S P S

main.dvi

2 ( ) i

IPSJ SIG Technical Report Vol.2016-CE-137 No /12/ e β /α α β β / α A judgment method of difficulty of task for a learner using simple


IPSJ SIG Technical Report Vol.2014-CG-155 No /6/28 1,a) 1,2,3 1 3,4 CG An Interpolation Method of Different Flow Fields using Polar Inter

22 / ( ) OD (Origin-Destination)

Wikipedia YahooQA MAD 4)5) MAD Web 6) 3. YAMAHA 7) 8) Vocaloid PV YouTube 1 minato minato ussy 3D MAD F EDis ussy

Elastic stack Jun Ohtani 1

.,,, [12].,, [13].,,.,, meal[10]., [11], SNS.,., [14].,,.,,.,,,.,,., Cami-log, , [15], A/D (Powerlab ; ), F- (F-150M, ), ( PC ).,, Chart5(ADIns

1. HNS [1] HNS HNS HNS [2] HNS [3] [4] [5] HNS 16ch SNR [6] 1 16ch 1 3 SNR [4] [5] 2. 2 HNS API HNS CS27-HNS [1] (SOA) [7] API Web 2

JFE.dvi

人工知能学会研究会資料 SIG-KBS-B Analysis of Voting Behavior in One Night Werewolf 1 2 Ema Nishizaki 1 Tomonobu Ozaki Graduate School of Integrated B

2). 3) 4) 1.2 NICTNICT DCRA Dihedral Corner Reflector micro-arraysdcra DCRA DCRA DCRA 3D DCRA PC USB PC PC ON / OFF Velleman K8055 K8055 K8055

7,, i

DNS DNS...

悪性Webサイト探索のための効率的な巡回順序の決定法

[1] [3]. SQL SELECT GENERATE< media >< T F E > GENERATE. < media > HTML PDF < T F E > Target Form Expression ( ), 3.. (,). : Name, Tel name tel

Present Situation and Problems on Aseismic Design of Pile Foundation By H. Hokugo, F. Ohsugi, A. Omika, S. Nomura, Y. Fukuda Concrete Journal, Vol. 29

大学における原価計算教育の現状と課題

[12] Qui [6][7] Google N-gram[11] Web ( 4travel 5, 6 ) ( 7 ) ( All About 8 ) (1) (2) (3) 3 3 (1) (2) (3) (a) ( (b) (c) (d) (e) (1

第 55 回自動制御連合講演会 2012 年 11 月 17 日,18 日京都大学 1K403 ( ) Interpolation for the Gas Source Detection using the Parameter Estimation in a Sensor Network S. T

Transcription:

16 DNS DNS (Domain Name System) IP 2 (DNS ) (Probabilistic Threat Propagation) DNS DNS 69% 1 ( ) DNS 9% 40% DNS 2,170 DNS This paper proposes a method to estimate malicious domain names from a large scale DNS query response dataset. The key idea of the work is to leverage the use of DNS graph that is a bipartite graph consisting of domain names and corresponding IP addresses. We apply a concept of Probabilistic Threat Propagation (PTP) on the graph with a set of predefined benign and malicious node to a DNS graph obtained from DNS queries at a backbone link. The performance of our proposed method (EPTP) outperformed that of an original PTP method (9% improved) and that of a traditional method using N-gram (40% improved) in an ROC analysis. We finally estimated 2,170 of new malicious domain names with EPTP. 1 Domain Name System (DNS) ( ) IP DNS IP DNS DNS Detecting Malicious Domains with Probabilistic Threat Propagation on DNS Graph. Yuta Kazato, Toshiharu Sugawara,, Waseda University. Kensuke Fukuda, /, National Institute of Informatics / Sokendai., Vol.33, No.3(2016), pp.16 28. [ ] 2015 8 20. IP IP C&C IP DNS ( )

Vol. 33 No. 3 Aug. 2016 17 benign.com IP 1 benign.net IP 2 unknown.com IP 3 malicious.com 1 DNS : (malicious), (benign), (unknown) (Probabilistic Threat Propagation; PTP) DNS IP 2 (DNS ) ( 1) ( IP ) 3 DNS PTP EPTP (Extended PTP) 9% (N-gram ) 40% 2 (1) PTP EPTP (2) DNS DNS 2 2. 1 DNS DNS 1 DNS Top Level Domain (TLD) (.jp) Second Level Domain (SLD) (, co.jp) IP ( ) gtld (.com,.net) cctld (.cn,.jp) 60 85% [8] [10] [24] 50% TLD [12] gtld.com.net [20] cctld.cn [25] 90% gtld DNS 1 [13] TLD 2. 2 2. 2. 1 DDoS( ) Exposure [7] Kopis [3] Notos [2] Exposure [7] time to live (TTL) 15 3,000

18 Kopis [3] DDoS Notos [2] [14] DNS SVM 2. 2. 2 [26] Domain Generation Algorithm (DGA) (N-gram) K-L DGA [15] Jaccard index C&C NX ( ) [27] [4] NX DGA [23] DGA 2. 2. 3 DNS [28] DNS [22] Fast-flux DNS IP Flux (CDN ) [16] [6] NX DNS failure graph [16] 3G [19] [11] [9] Manadhata [19] HTTP DNS Polonium [11] Machine File 2 Probability Threat Propagation (PTP) [9] web proxy IP URL IP PTP PTP [9] DNS DNS (DNS) 3 3. 1 DNS DNS A IP

Vol. 33 No. 3 Aug. 2016 19 2 DNS ( 1) G X E G = (X, E) IP IP IP i IP j i IP j (e ij E) 1 IP 1 IP ( CDN) 1 IP 1 IP ( ) DNS [5] IP 0 x j 1 O(N 2 ) 1 1 k 2 P k (x i) = w ij(p k 1 (x j) C k 1 (x i, x j)) j N(x i ) (2) P k (x i ) k x i P k 1 (x j) k 1 x i x j C k 1 (x i, x j ) k 1 x i x j C k 1 x i x j k x j x i 3. 2 EPTP PTP [9] (Malicious ) {malicious} P (x malicious) = γ PTP G x i 1 P (x i ; G) = w ij P (x j x i = 0; G) (1) j N(x i ) 1 N(x i ) x i w ij i j P (x j x i = 0; G) x i 2 k C k 1 3 C k 1 (x i, x j ) = w ji (P k 2 (x i )) (3) w ij 4 w ij = 1 N(x i ) e ij E 0 e ij E (4) PTP Alexa [1] DNS Alexa {benign}

20 Require: W, {malicious}, {benign}, γ, β 1: P α N, P (malicious) γ, P (benign) β, C 0 N N 2: repeat 3: T W diag(p ) 4: C T W C T 5: P < C, 1 > 6: C(malicious, ) 0, C(benign, ) 0 7: P (malicious) γ, P (benign) β 8: until P has converged 9: return P (A(i, j) B(i, j)) {malicious} P (malicious) γ {benign} P (benign) β 0 0 T W diag(p ) (diag(p ) P N N ) T W C T 2 2 Extended Probability Threat Propagation C C P =< C, 1 > {benign} Benign Malicious 1 PTP Malicious γ [0,1] 0 EPTP β > 0 γ < 0 α = γ+β 2 P (x) γ P (x) < α P (x) γ α < P (x) β P (x) β Benign β = 1 Malicious γ = β = 1 α = γ+β 2 = 0 ( 2) EPTP 2 N P R N (P (i) = P (x i )) W R N N T R N N (T (i, j) = W (i, j) P (j)) C R N N, C = T W C T A B 1 EPTP (<, > 1 N 1 ) P {malicious} {benign} P C x x {malicious}, {benign} EPTP 1 P 0.001 P x k PTP 100 50 4 4. 1 DNS DNS 1 DNS tcpdump UDP port 53 2013 11 5 28

Vol. 33 No. 3 Aug. 2016 21 Total Number (x1000) 1400 1200 1000 800 600 400 200 0 IN domains OUT domains KEEP domains Total Number (x1000) 14 12 10 8 6 4 2 0 IN domains OUT domains KEEP domains Total Number (x1000) 1.5 1 0.5 0 IN domains OUT domains KEEP domains Total Number (x1000) 1.2 1 0.8 0.6 0.4 0.2 0 IN domains OUT domains KEEP domains -200 11/05 11/12 11/19 11/26-2 11/05 11/12 11/19 11/26-0.5 11/05 11/12 11/19 11/26-0.2 11/11 11/18 11/25 Time (JST 2013) Time (JST 2013) Time (JST 2013) Time (JST 2013) (a) (b) Benign (c) Malicious (d) Suspicious 3 IN KEEP OUT 24 DNS (A ) IP DNS 1,348,547, IP 2,417,727 3,917,402 4. 2 DNS (Malicious) malwaredomains.com [18] uribl.com [21] (Malicious ) (Benign) Alexa [1] (Alexa ) 30,000 30,653 Alexa DGA 5 DNS DNS 5. 1 DNS 1 DNS k k 1 KEEP k 1 k OUT k 1 k IN DNS (All) (Malicious) (Benign) 3 3 1 DNS IN KEEP OUT 3 (a) (c) 30,000 30,653 KEEP IN OUT 1 65% KEEP KEEP ( 71.8%) IN OUT ( 51.4%)

22 1 KEEP IN OUT KEEP IN OUT ALL 65.9% 17.1% 17.1% Benign 71.8% 14.1% 14.1% Malicious 48.6% 25.8% 25.6% Suspicious 65.3% 17.4% 17.2% 2 DNS d = 1 d = 24 1,271,975 3,766,274 668,266 1,348,547 IP 603,709 2,417,727 1,199,612 3,917,402 1.88 2.08 203,670 356,676 5. 2 DNS 2013/11/05 1 (d = 1) 2013/11/05 28 24 (d = 24) 2 DNS d=1 DNS 127 120 20 DNS d = 24 d=1 DNS 2.96 2 IP 4 3.27 1.75 DNS d= 24 DNS 4 75% IP 1 1 d=24 70% Frequency 10 6 10 5 10 4 10 3 10 2 10 1 10 0 10 0 10 1 10 2 10 3 10 4 10 5 10 6 10 7 4 Number of nodes 3 10 (d = 24) No. IP Benign Malicious 1 778,279 1,832,123 5664 471 2 1 19,929 0 0 3 1 1,563 0 0 4 1,545 2 0 0 5 1,450 20 0 1 6 1 1,457 0 0 7 22 1,407 0 0 8 2 1,424 0 0 9 3 1,384 0 0 10 1,345 41 0 1 90% 6 10 3 (d=24) 1 IP IP 2 spmode.ne.jp pandaworld.ne.jp 1

Vol. 33 No. 3 Aug. 2016 23 4 d=1 d=24 567,663 2,610,402 349,581 778,279 IP 218,082 1,832,123 688,706 3,095,916 1.88 2.37 28 26 5 (%) (%) ave med B B 912,073 14.4 5,422,947 85.6 6.5 6 M M 13,743 5.1 258,210 94.9 8.0 8 B M 343,879 6.5 4,911,630 93.5 8.4 8 U U 2,738,310 30.5 6,226,634 69.5 8.3 8 IP 4 DNS 20 2 Frequency 0.45 0.40 0.35 0.30 0.25 0.20 0.15 0.10 0.05 Benign-Benign Malicious-Malicious Benign-Malicious Unknown-Unknown 0.00 0 2 4 6 8 10 12 14 16 18 20 22 24 Node distance d=24 d=1 5 4.6 4.5 DNS (d=1 2.96 3.27 ) 3 d=1 d=24 2 (B B) 6.5 4 (B M) 8.4 (M M) 8.0 8 5 2 15% IP (B B) 5. 3 d=1 Benign Malicious Unknown 5 5 B B, M M, B M, U U Benign Malicious Benign Malicious Unknown (B M) Unknown (U U) B M 6 EPTP EPTP PTP, N-gram EPTP DNS

24 Ratio 1.0 0.8 0.6 0.4 0.2 TPR 0.0 FPR -1.0-0.5 0.0 0.5 1.0 6 Threshold True Positive Rate 7 1.00 0.80 0.60 0.40 10-cv-Original PTP 10-cv-Extended PTP 0.20 5-cv-Original PTP 5-cv-Extended PTP 0.00 Bigram-based 0.00 0.01 0.02 0.03 0.04 0.05 False Positive Rate ROC (k-fold cross validation) 6. 1 EPTP 2,000, 1,973 k-fold cross validation (CV) (k = 5, 10) DNS 1 10-fold CV P (x) TPR (True Positive Rate) FPR (False Positive Rate) 6 TPR 0.5 0 τ = 0 TPR 90% FPR τ = 0 FPR 0 0.5 TLD biz net info SLD DGA Receiver Operatorating Characteristic (ROC) (EPTP) (PTP) N-gram [17] [26] 7 10-fold CV ROC EPTP FPR 0.016 PTP TPR 0.827 Time (s) / Memory (MiB) 10 4 10 3 10 2 10 1 10 0 10-1 8 Memory (MiB) Time (s) 10 3 10 4 10 5 10 6 Number of nodes EPTP EPTP TPR 0.904 5-fold CV 10-fold CV ROC 10-fold CV N-gram 40% 1,000 10,000 100,000 1,000,000 EPTP 8 (CPU: Intel Xeon X5675 3.07GHz; Memory 32GB) 10

Vol. 33 No. 3 Aug. 2016 25 6 4c4brcwmg.biz -0.978 info-ezweb-ne-jp.info -0.75 poohpoohhany.info -0.680 bvncm-kdkdkgree.jp -0.538 nomoguz.su -0.344 kisjehmbga.jp -0.241 google-play.jp -0.2 9 IP EPTP IP 1 IP IP IP 7 9 ( :, : IP : ) 6. 2 DNS d=24 DNS EPTP 6 FPR 0 τ = 0.1 0.1 IP 2,170 IP 12,884 6 EPTP (τ = 0.1) 9 7. 1 IN KEEP OUT 6. 2 EPTP Suspicious IN KEEP OUT ( 3 (d) 1) Suspicious ALL IN KEEP OUT IN KEEP OUT Suspicious Malicious DGA 6 Suspicious DGA DNS 5 5 2

26 PTP 4 7. 2 DNS DNS IP DNS, d=24 377 392 DNS DNS DNS 69% 1 IP IP 7. 3 EPTP [9] PTP Alexa 10-fold CV FPR (=0.016) 8% 90.4% ( 7) EPTP 6 τ = 0 DNS 8 10 DNS 5-fold CV 10-fold CV 6 τ 0.1 2,170 ( 6) DGA google-play.jp N-gram EPTP ( 9) IP IP

Vol. 33 No. 3 Aug. 2016 27 8 DNS A PTP DNS 1 EPTP DNS 90.4% 2,170 Malicious Alaxa (15H02699) (EU) FP7 ( 608533:NECOMA) [ 1 ] Alexa: Alexa [Online], http://www.alexa.com/ topsites/. [ 2 ] Antonakakis, M., Perdisci, R., Dagon, D., Lee, W. and Feamster, N.: Building a Dynamic Reputation System for DNS, in Proceedings of USENIX security symposium, 2010, pp. 273 290. [ 3 ] Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou II, N. and Dagon, D.: Detecting Malware Domains at the Upper DNS Hierarchy, in Proceedings of USENIX Security Symposium, 2011, pp. 411 426. [ 4 ] Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II, N., Abu-Nimeh, S., Lee, W. and Dagon, D.: From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, in Proceedings of USENIX Security Symposium, 2012, pp. 491 506. [ 5 ] Arkko, J., Cotton, M. and Vegoda, L.: IPv4 Address Blocks Reserved for Documentation, RFC 5737, January 2010. [ 6 ] Bar, A., Paciello, A. and Romirer-Maierhofer, P.: Trapping botnets by DNS failure graphs: validation, extension and application to a 3G network, in Proceedings of TMA 13, IEEE, 2013, pp. 393 398. [ 7 ] Bilge, L., Sen, S., Balzarotti, D., Kirda, E. and Kruegel, C.: EXPOSURE: a passive DNS analysis service to detect and report malicious domains, ACM Transactions on Information and System Security (TISSEC), Vol. 16, No. 4(2014), p. 14. [ 8 ] Brownlee, N., Claffy, K. and Nemeth, E.: DNS measurements at a root server, in Proceedings of GLOBECOM 01, Vol. 3, IEEE, 2001, pp. 1672 1676. [ 9 ] Carter, K. M., Idika, N. and Streilein, W. W.: Probabilistic threat propagation for malicious activity detection, in Proceedings of ICASSP 13, IEEE, 2013, pp. 2940 2944. [10] Castro, S., Wessels, D., Fomenkov, M. and Claffy, K.: A Day at the Root of the Internet, ACM SIGCOMM Computer Communication Review, Vol. 38, No. 5(2008), pp. 41 46. [11] Chau, D., Nachenberg, C., Wilhelm, J., Wright, A. and Faloutsos, C.: Polonium: Tera-scale graph mining and inference for malware detection, in Proceedings of SIAM International Conference on Data Mining, Vol. 2, 2011. [12] Gao, H., Yegneswaran, V., Chen, Y., Porras, P., Ghosh, S., Jiang, J. and Duan, H.: An empirical reexamination of global DNS behavior, in Proceedings of SIGCOMM 13, ACM, 2013, pp. 267 278. [13] Hao, S., Feamster, N. and Pandrangi, R.: Monitoring the initial DNS behavior of malicious domains, in Proceedings of IMC 11, ACM, 2011, pp. 269 278. [14] Ishibashi, K. and Sato, K.: Classifying DNS Heavy User Traffic by using Hierarchical Aggregate Entropy, in Proceedings of World Telecommunications Congress (WTC 12), 2012, pp. 1 6. [15] Ishibashi, K., Toyono, T., Hasegawa, H. and Yoshino, H.: Extending black domain name list by using co-occurrence relation between DNS queries, IEICE Transactions on Communications, Vol. 95, No. 3(2012), pp. 794 802. [16] Jiang, N., Cao, J., Jin, Y., Li, L. E. and Zhang, Z.-L.: Identifying suspicious activities through DNS failure graph analysis, in Proceedings of ICNP 10, IEEE, 2010, pp. 144 153. [17] Kazato, Y., Fukuda, K. and Sugawara, T.: To-

28 wards classification of DNS erroneous queries, in Proceedings of AINTEC 13, ACM, 2013, pp. 25 32. [18] Malware Domain Blocklist: DNS-BH Malware Domain Blocklist, http://www.malwaredomains. com/. [19] Manadhata, P. K., Yadav, S., Rao, P. and Horne, W.: Detecting Malicious Domains via Graph Inference, in Proceedings of ESORICS 14, Springer, 2014, pp. 1 18. [20] Osterweil, E., McPherson, D., DiBenedetto, S., Papadopoulos, C. and Massey, D.: Behavior of DNS Top Talkers, a. com/. net View, in Proceedings of PAM 12, Springer, 2012, pp. 211 220. [21] P. Vixie: Traltime URI Blacklist, http://uribl. com/. [22] Perdisci, R., Corona, I., Dagon, D. and Lee, W.: Detecting malicious flux service networks through passive analysis of recursive DNS traces, in Proceedings of ACSAC 09, IEEE, 2009, pp. 311 320. [23] Schiavoni, S., Maggi, F., Cavallaro, L. and Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence, in Proceedings of DIMVA 14, Springer, 2014, pp. 192 211. [24] Wessels, D. and Fomenkov, M.: Wow, that s a lot of packets, in Proceedings of PAM 03, 2003. [25] Xuebiao, Y., Xin, W., Xiaodong, L. and Baoping, Y.: DNS measurements at the.cn TLD servers, in Proceedings of FSKD 09, Vol. 7, 2009, pp. 540 545. [26] Yadav, S., Reddy, A., Reddy, A. and Ranjan, S.: Detecting algorithmically generated malicious domain names, in Proceedings of IMC 10, ACM, 2010, pp. 48 61. [27] Yadav, S. and Reddy, A. N.: Winning with DNS failures: Strategies for faster botnet detection, in Proceedings of SecureCom 12, Springer, 2012, pp. 446 459. [28],,, : DNS,. IOT, No. 21(2009), pp. 19 24. 2015 1999 ( ( )) 1999 2005 2006 (2002) (2008 2012; ) / (2014 2015) 1982.,. 1992 1993,.,.,,,,. ( ).,,,, ISOC IEEE, ACM, AAAI.

2024 © docsplayer.net プライバシー | 利用規約 | フィードバック