KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Feature Selection with PCA based on DNS Query for Malicious Domain Classification

비정상도메인 분류를 위한 DNS 쿼리 기반의 주성분 분석을 이용한 성분추출

  • Received : 2012.05.16
  • Accepted : 2012.08.13
  • Published : 2012.10.30
Download PDF
⟨ Previous Next ⟩

Abstract

Recent botnets are widely using the DNS services at the connection of C&C server in order to evade botnet's detection. It is necessary to study on DNS analysis in order to counteract anomaly-based technique using the DNS. This paper studies collection of DNS traffic for experimental data and supervised learning for DNS traffic-based malicious domain classification such as query of domain name corresponding to C&C server from zombies. Especially, this paper would aim to determine significant features of DNS-based classification system for malicious domain extraction by the Principal Component Analysis(PCA).

최근 봇넷(Botnet)은 탐지 기술을 피하기 위하여 C&C(Command and Control)서버 접속시 DNS(Domain Name System) 서비스를 이용하고 있다. DNS 서비스를 이용한 비정상 행위에 대응하기 위해서 DNS 트래픽 기반의 분석 연구가 필요하다. 본 논문에서는 좀비PC의 C&C서버 도메인주소 질의와 같은 DNS트래픽 기반의 비정상 도메인 분류(Classification)를 위해서 DNS트래픽 수집 및 지도학습(Supervised Learning)에 대해 연구한다. 특히, 본 논문에서는 PCA(Principal Component Analysis) 주성분분석 기술을 통해 DNS 기반의 분류시스템에서의 효과적인 분석 성분들을 구성할 수 있다.

Keywords

References

  1. http://en.wikipedia.org/wiki/Botnet
  2. H. Choi, H. Lee, H. Lee,H. Kim, "Botnet detection by monitoring group activities in DNS traffic", in Computer and Information Technology, 2007. CIT 2007. 7th IEEE International Conference on, 2007, pp.715-720.
  3. G. Gu, J. Zhang,W. Lee, "BotSniffer: Detecting botnet command and control channels in network traffic", in Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), 2008.
  4. G. Gu, R. Perdisci, J. Zhang,W. Lee, "BotMiner: clustering analysis of network traffic for protocol-and structureindependent botnet detection", in Proceedings of the 17th conference on Security symposium, 2008, pp.139-154.
  5. J. Liu, Y. Xiao, K. Ghaboosi, H. Deng,J. Zhang, "Botnet: Classification, attacks, detection, tracing, and preventive measures", in EURASIP journal on wireless communications and networking, 2009, Vol.2009, pp.1184-1187.
  6. R. Villamarín-Salomón,J. C. Brustoloni, "Identifying botnets using anomaly detection techniques applied to DNS traffic", in Consumer Communications and Networking Conference, 2008. CCNC 2008. 5th IEEE, 2008, pp.476-481.
  7. J. Dietrich, C. Rossow, F. Freiling, "On Botnets that use DNS for Command and Control".
  8. R. Villamarín-Salomón,J. C. Brustoloni, "Bayesian bot detection based on DNS traffic similarity", in Proceedings of the 2009 ACM symposium on Applied Computing, 2009, pp.2035-2041.
  9. H. Tu, Z. Li,B. Liu, "Detecting botnets by analyzing DNS traffic", Intelligence and Security Informatics, pp.323-324, 2007.
  10. Jiawei Han and Micheline Kamber, "Data Mining 2nd Edition", 2007.
  11. L. Bilge, E. Kirda, C. Kruegel,M. Balduzzi, "EXPOSURE: Finding malicious domains using passive dns analysis", Proceedings of the Annual Network and Distributed System Security (NDSS)(February 2011).

Cited by

  1. Detecting Cyber Threats Domains Based on DNS Traffic vol.37B, pp.11, 2012, https://doi.org/10.7840/kics.2012.37B.11.1082