By Topic

Similarity Search over DNS Query Streams for Email Worm Detection

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Chatzis, N. ; Fraunhofer Inst. Fokus, Berlin ; Brownlee, N.

Email worms and the high amount of unsolicited email traffic on the Internet continue to be persistent operational security issues. In this work, we present a method to detect email worms soon after they appear at the local name server, which is topologically near the infected machines. Our method analyses at flow level the communication patterns between user machines and the local name server. With respect to this, it uses exact similarity search over time series produced by the Domain Name System (DNS) query streams of user machines, and unsupervised learning. To evaluate our method, we have constructed and used a DNS query dataset that consists of 71 recent email worms. We demonstrate that our method is remarkably effective in the long run, and that time series similarity search can be a useful tool for intrusion detection, one that has not yet been adequately explored.

Published in:

Advanced Information Networking and Applications, 2009. AINA '09. International Conference on

Date of Conference:

26-29 May 2009