DNS查询请求报文流量中主机搜索攻击趋势分析

2012 Fifth International Conference on Intelligent Networks and Intelligent Systems Pub Date : 2012-11-01 DOI:10.1109/ICINIS.2012.11

N. Shibata, Y. Musashi, D. Romaņa, S. Kubota, K. Sugitani

{"title":"DNS查询请求报文流量中主机搜索攻击趋势分析","authors":"N. Shibata, Y. Musashi, D. Romaņa, S. Kubota, K. Sugitani","doi":"10.1109/ICINIS.2012.11","DOIUrl":null,"url":null,"abstract":"We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2011. The obtained results are: (1) We found twelve host search (HS) attacks in the scores for detection method using the calculated Euclidean distances between the observed IP address and the last observed IP address in the DNS query keywords by employing both threshold ranges of 1.0-2.0 (consecutive) and 150.2-210.4 (random). However, we found nineteen HS attacks in the scores using the calculated cosine distance between the DNS query IP addresses (threshold ranges of 0.75-0.83 and 0.9-1.0). (3) In the newly found HS attacks, we observed that the source IP addresses of the HS attack DNS query packets are distributed. Therefore, it can be concluded that the cosine distance based detection technology has a possibility to detect the source IP address-distributed host search attack.","PeriodicalId":302503,"journal":{"name":"2012 Fifth International Conference on Intelligent Networks and Intelligent Systems","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":"{\"title\":\"Trends in Host Search Attack in DNS Query Request Packet Traffic\",\"authors\":\"N. Shibata, Y. Musashi, D. Romaņa, S. Kubota, K. Sugitani\",\"doi\":\"10.1109/ICINIS.2012.11\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2011. The obtained results are: (1) We found twelve host search (HS) attacks in the scores for detection method using the calculated Euclidean distances between the observed IP address and the last observed IP address in the DNS query keywords by employing both threshold ranges of 1.0-2.0 (consecutive) and 150.2-210.4 (random). However, we found nineteen HS attacks in the scores using the calculated cosine distance between the DNS query IP addresses (threshold ranges of 0.75-0.83 and 0.9-1.0). (3) In the newly found HS attacks, we observed that the source IP addresses of the HS attack DNS query packets are distributed. Therefore, it can be concluded that the cosine distance based detection technology has a possibility to detect the source IP address-distributed host search attack.\",\"PeriodicalId\":302503,\"journal\":{\"name\":\"2012 Fifth International Conference on Intelligent Networks and Intelligent Systems\",\"volume\":\"13 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"9\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2012 Fifth International Conference on Intelligent Networks and Intelligent Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICINIS.2012.11\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 Fifth International Conference on Intelligent Networks and Intelligent Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICINIS.2012.11","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

摘要

我们统计了2011年1月1日至12月31日期间，基于PTR资源记录(RR)的从Internet到某高校校园网顶级域DNS服务器的DNS查询请求报文流量。得到的结果是:(1)我们使用1.0-2.0(连续)和150.2-210.4(随机)两种阈值范围，通过计算DNS查询关键字中观察到的IP地址与最后观察到的IP地址之间的欧氏距离，在检测方法的得分中发现了12种主机搜索(HS)攻击。然而，我们在使用计算的DNS查询IP地址之间的余弦距离(阈值范围为0.75-0.83和0.9-1.0)的分数中发现了19次HS攻击。(3)在新发现的HS攻击中，我们观察到HS攻击DNS查询报文的源IP地址是分布式的。因此，可以得出结论，基于余弦距离的检测技术具有检测源IP地址分布式主机搜索攻击的可能性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Trends in Host Search Attack in DNS Query Request Packet Traffic

We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2011. The obtained results are: (1) We found twelve host search (HS) attacks in the scores for detection method using the calculated Euclidean distances between the observed IP address and the last observed IP address in the DNS query keywords by employing both threshold ranges of 1.0-2.0 (consecutive) and 150.2-210.4 (random). However, we found nineteen HS attacks in the scores using the calculated cosine distance between the DNS query IP addresses (threshold ranges of 0.75-0.83 and 0.9-1.0). (3) In the newly found HS attacks, we observed that the source IP addresses of the HS attack DNS query packets are distributed. Therefore, it can be concluded that the cosine distance based detection technology has a possibility to detect the source IP address-distributed host search attack.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2012 Fifth International Conference on Intelligent Networks and Intelligent Systems

自引率

0.00%

发文量