Anomaly Detection by Monitoring Unintended DNS Traffic on Wireless Network

Abstract

Cybersecurity threats from malware attacks has become one of the most serious issues in the Internet nowadays. Most types of malware, after intruding an individual computer, attempt to connect the corresponding Command and Control (C&C) servers using IP addresses or Fully Qualified Domain Name (FQDN) and receive further instructions (e.g. attacking target IP addresses and FQDNs) from them in order to conduct subsequent cyber attacks. In recent years, it has been clarified that DNS traffic has been used for communication between the malware infection computers and the C&C servers. In this research, we focus on these peculiarities and propose a method for detecting malware infected computers by monitoring unintended DNS traffic on wireless networks by collaboration with DHCP (Dynamic Host Configuration Protocol) server. By deploying the proposed system on campus wireless networks, the computers within DHCP configured environment can be detected when they are infected by some types of malware and it attempts to communicate with the corresponding C&C servers using DNS (Domain Name System) protocol. In this paper, we describe the detailed design of the proposed method and the future work includes prototype implementation as well as evaluations.