Detection of Bot Infected PC Using Destination-based IP Address and Domain Name Whitelists
スポンサーリンク
概要
- 論文の詳細を見る
As a bot communicates with a malicious controller over a normal communication or an encrypted channel and updates its code frequently, it becomes difficult to detect an infected personal computer (PC) using a signature-based intrusion detection system (IDS) and an antivirus system (AV). As sending control and attack packets from the bot process are independent of the user operation, a behavior monitor is effective in detecting an anomaly communication. In this paper, we propose a bot detection technique that checks outbound packets with destination-based whitelists. If any outbound packets during the non-operating duration do not match the whitelists, the PC is considered to be infected by the bot. The whitelists are a set of legitimate IP addresses (IPs) and/or domain names (DNs). We implement the proposal system as a host-based detector and evaluate false negative (FN) and false positive (FP) performance.
- 2011-04-15
著者
-
Keisuke Takemori
KDDI R&D Laboratories
-
Keisuke Takemori
Kddi R&d Laboratories
-
Masakatsu Nishigaki
Shizuoka University Graduate School Of Science And Technology
-
Takahiro Sakai
Graduate School of Science and Technology, Shizuoka University
-
Masakatsu Nishigaki
Graduate School of Science and Technology, Shizuoka University
-
Yutaka Miyake
KDDI R&D Laboratories Inc.
-
Yutaka Miyake
Kddi R&d Laboratories Inc.
-
Masakatsu Nishigaki
Graduate School Of Science And Technology Shizuoka University
-
Takahiro Sakai
Graduate School Of Science And Technology Shizuoka University
関連論文
- IP Traceback Using DNS Logs against Bots
- Detection of Bot Infected PC Using Destination-based IP Address and Domain Name Whitelists
- Web Tracking Site Detection Based on Temporal Link Analysis and Automatic Blacklist Generation