Clustering Malicious DNS Queries for Blacklist-Based Detection

Some of the most serious threats to network security involve malware. One common way to detect malware-infected machines in a network is by monitoring communications based on blacklists. However, such detection is problematic because (1) no blacklist is completely reliable, and (2) blacklists do not provide the sufficient evidence to allow administrators to determine the validity and accuracy of the detection results. In this paper, we propose a malicious DNS query clustering approach for blacklist-based detection. Unlike conventional classification, our cause-based classification can efficiently analyze malware communications, allowing infected machines in the network to be addressed swiftly

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

Some of the most serious security threats facing computer networks involve malware. To prevent malware-related damage, administrators must swiftly identify and remove the infected machines that may reside in their networks. However, many malware families have domain generation algorithms (DGAs) to avoid detection. A DGA is a technique in which the domain name is changed frequently to hide the callback communication from the infected machine to the command-and-control server. In this article, we propose an approach for estimating the randomness of domain names by superficially analyzing their character strings. This approach is based on the following observations: human-generated benign domain names tend to reflect the intent of their domain registrants, such as an organization, product, or content. In contrast, dynamically generated malicious domain names consist of meaningless character strings because conflicts with already registered domain names must be avoided; hence, there are discernible differences in the strings of dynamically generated and human-generated domain names. Notably, our approach does not require any prior knowledge about DGAs. Our evaluation indicates that the proposed approach is capable of achieving recall and precision as high as 0.9960 and 0.9029, respectively, when used with labeled datasets. Additionally, this approach has proven to be highly effective for datasets collected via a campus network. Thus, these results suggest that malware-infected machines can be swiftly identified and removed from networks using DNS queries for detected malicious domains as triggers

Analysis of the Macroscopic Behavior of Server Systems in the Internet Environment

Elasticity is one of the key features of cloud-hosted services built on virtualization technology. To utilize the elasticity of cloud environments, administrators should accurately capture the operational status of server systems, which changes constantly according to service requests incoming irregularly. However, it is difficult to detect and avoid in advance that operating services are falling into an undesirable state. In this paper, we focus on the management of server systems that include cloud systems, and propose a new method for detecting the sign of undesirable scenarios before the system becomes overloaded as a result of various causes. In this method, a measure that utilizes the fluctuation of the macroscopic operational state observed in the server system is introduced. The proposed measure has the property of drastically increasing before the server system is in an undesirable state. Using the proposed measure, we realize a function to detect that the server system is falling into an overload scenario, and we demonstrate its effectiveness through experiments

Multiagent-Based Data Presentation Mechanism for Multifaceted Analysis in Network Management Tasks

Although network management tasks are highly automated using big data and artificial intelligence technologies, when an unforeseen cybersecurity problem or fault scenario occurs, administrators sometimes directly analyze system data to make a heuristic decision. However, a wide variety of information is required to address complex cybersecurity risks, whereas current systems are focused on narrowing the candidates of information. In this study, we propose a multiagent-based data presentation mechanism (MADPM) that consists of agents operating data-processing tools that store and analyze network data. Agents in MADPM interact with other agents to form data-processing sequences. In this process, we design not only the composition of the sequence according to requirements, but also a mechanism to expand it to enable multifaceted analysis that supports heuristic reasoning. We tested five case studies in the prototype system implemented in an experimental network. The results indicated that the multifaceted presentation of data can support administrators more than the selected single-faceted optimal presentation. The final outcome of our proposed approach is the provision of a multifaceted and cross-system data presentation for heuristic inference in network management tasks

Stepwise Log Summarizing Method for Real-Time Network Event Handling

In this paper, we propose a log summarizing method to help a network manager to recognize and handle a network event. Our method can accurately extract only necessary information in real-time by stepwise information extraction technique. This feature can help the network manager to handle an event quickly with less management burden. With our experimental results, we show that our method has the ability to remove more than 60 %- 90 % unnecessary records, without losing any necessary information. Additionally, our method can process a log containing massive records in real-time.

A Word-Level Analytical Approach for Identifying Malicious Domain Names Caused by Dictionary-Based DGA Malware

Computer networks are facing serious threats from the emergence of malware with sophisticated DGAs (Domain Generation Algorithms). This type of DGA malware dynamically generates domain names by concatenating words from dictionaries for evading detection. In this paper, we propose an approach for identifying the callback communications of such dictionary-based DGA malware by analyzing their domain names at the word level. This approach is based on the following observations: These malware families use their own dictionaries and algorithms to generate domain names, and accordingly, the word usages of malware-generated domains are distinctly different from those of human-generated domains. Our evaluation indicates that the proposed approach is capable of achieving accuracy, recall, and precision as high as 0.9989, 0.9977, and 0.9869, respectively, when used with labeled datasets. We also clarify the functional differences between our approach and other published methods via qualitative comparisons. Taken together, these results suggest that malware-infected machines can be identified and removed from networks using DNS queries for detected malicious domain names as triggers. Our approach contributes to dramatically improving network security by providing a technique to address various types of malware encroachment