Skip to Main Content
Email worms and the high amount of unsolicited email traffic on the Internet continue to be persistent operational security issues. In this work, we present a method to detect email worms soon after they appear at the local name server, which is topologically near the infected machines. Our method analyses at flow level the communication patterns between user machines and the local name server. With respect to this, it uses exact similarity search over time series produced by the Domain Name System (DNS) query streams of user machines, and unsupervised learning. To evaluate our method, we have constructed and used a DNS query dataset that consists of 71 recent email worms. We demonstrate that our method is remarkably effective in the long run, and that time series similarity search can be a useful tool for intrusion detection, one that has not yet been adequately explored.