A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

Sato, Akihiro; 佐藤, 彰洋; サトウ, アキヒロ; Nakamura, Yutaka; 中村, 豊; ナカムラ, ユタカ; Fukuda, Yutaka; 福田, 豊; フクダ, ユタカ; Sasai,  Kazuto; Kitagata,  Gen

doi:https://doi.org/10.1109/ACCESS.2019.2944203

WEKO3

lat lon distance

[[sub_check.contents]]

[[sub_radio.contents]]

Field does not validate

[[sub_attr.contents]]　

インデックスツリー

アイテム

{"_buckets": {"deposit": "823670c9-1dc2-4e23-9bf9-6d91e70f3816"}, "_deposit": {"created_by": 3, "id": "6421", "owners": [3], "pid": {"revision_id": 0, "type": "depid", "value": "6421"}, "status": "published"}, "_oai": {"id": "oai:kyutech.repo.nii.ac.jp:00006421", "sets": ["24"]}, "author_link": ["26915", "24131", "26916", "8847", "26911", "27948", "26910"], "item_21_biblio_info_6": {"attribute_name": "書誌情報", "attribute_value_mlt": [{"bibliographicIssueDates": {"bibliographicIssueDate": "2019-09-27", "bibliographicIssueDateType": "Issued"}, "bibliographicPageEnd": "143001", "bibliographicPageStart": "142991", "bibliographicVolumeNumber": "7", "bibliographic_titles": [{"bibliographic_title": "IEEE Access "}]}]}, "item_21_description_4": {"attribute_name": "抄録", "attribute_value_mlt": [{"subitem_description": "Some of the most serious security threats facing computer networks involve malware. To prevent this threat, administrators need to swiftly remove the infected machines from their networks. One common way to detect infected machines in a network is by monitoring communications based on blacklists. However, detection using this method has the following two problems: no blacklist is completely reliable, and blacklists do not provide sufficient evidence to allow administrators to determine the validity and accuracy of the detection results. Therefore, simply matching communications with blacklist entries is insufficient, and administrators should pursue their detection causes by investigating the communications themselves. In this paper, we propose an approach for classifying malicious DNS queries detected through blacklists by their causes. This approach is motivated by the following observation: a malware communication is divided into several transactions, each of which generates queries related to the malware; thus, surrounding queries that occur before and after a malicious query detected through blacklists help in estimating the cause of the malicious query. Our cause-based classification drastically reduces the number of malicious queries to be investigated because the investigation scope is limited to only representative queries in the classification results. In experiments, we have confirmed that our approach could group 388 malicious queries into 3 clusters, each consisting of queries with a common cause. These results indicate that administrators can briefly pursue all the causes by investigating only representative queries of each cluster, and thereby swiftly address the problem of infected machines in the network.", "subitem_description_type": "Abstract"}]}, "item_21_description_60": {"attribute_name": "資源タイプ", "attribute_value_mlt": [{"subitem_description": "Journal Article", "subitem_description_type": "Other"}]}, "item_21_full_name_3": {"attribute_name": "著者別名", "attribute_value_mlt": [{"affiliations": [{"affiliationNames": [{"affiliationName": "", "lang": "ja"}], "nameIdentifiers": []}], "familyNames": [{"familyName": "Sato", "familyNameLang": "en"}, {"familyName": "佐藤", "familyNameLang": "ja"}, {"familyName": "サトウ", "familyNameLang": "ja-Kana"}], "givenNames": [{"givenName": "Akihiro", "givenNameLang": "en"}, {"givenName": "彰洋", "givenNameLang": "ja"}, {"givenName": "アキヒロ", "givenNameLang": "ja-Kana"}], "nameIdentifiers": [{"nameIdentifier": "27948", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "30609376", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000030609376"}, {"nameIdentifier": "55437344000", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=55437344000"}, {"nameIdentifier": "0000-0003-3178-1041", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0003-3178-1041"}, {"nameIdentifier": "100000049", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/100000049_ja.html"}], "names": [{"name": "Sato, Akihiro", "nameLang": "en"}, {"name": "佐藤, 彰洋", "nameLang": "ja"}, {"name": "サトウ, アキヒロ", "nameLang": "ja-Kana"}]}, {"affiliations": [{"affiliationNames": [{"affiliationName": "", "lang": "ja"}], "nameIdentifiers": []}], "familyNames": [{"familyName": "Nakamura", "familyNameLang": "en"}, {"familyName": "中村", "familyNameLang": "ja"}, {"familyName": "ナカムラ", "familyNameLang": "ja-Kana"}], "givenNames": [{"givenName": "Yutaka", "givenNameLang": "en"}, {"givenName": "豊", "givenNameLang": "ja"}, {"givenName": "ユタカ", "givenNameLang": "ja-Kana"}], "nameIdentifiers": [{"nameIdentifier": "8847", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "40346317", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000040346317"}, {"nameIdentifier": "56393278900", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=56393278900"}, {"nameIdentifier": "367", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/367_ja.html"}], "names": [{"name": "Nakamura, Yutaka", "nameLang": "en"}, {"name": "中村, 豊", "nameLang": "ja"}, {"name": "ナカムラ, ユタカ", "nameLang": "ja-Kana"}]}, {"affiliations": [{"affiliationNames": [{"affiliationName": "", "lang": "ja"}], "nameIdentifiers": []}], "familyNames": [{"familyName": "Fukuda", "familyNameLang": "en"}, {"familyName": "福田", "familyNameLang": "ja"}, {"familyName": "フクダ", "familyNameLang": "ja-Kana"}], "givenNames": [{"givenName": "Yutaka", "givenNameLang": "en"}, {"givenName": "豊", "givenNameLang": "ja"}, {"givenName": "ユタカ", "givenNameLang": "ja-Kana"}], "nameIdentifiers": [{"nameIdentifier": "24131", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "90372763", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000090372763"}, {"nameIdentifier": "35811871400", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=35811871400"}, {"nameIdentifier": "0000-0003-0430-0871", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0003-0430-0871"}, {"nameIdentifier": "371", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/371_ja.html"}], "names": [{"name": "Fukuda, Yutaka", "nameLang": "en"}, {"name": "福田, 豊", "nameLang": "ja"}, {"name": "フクダ, ユタカ", "nameLang": "ja-Kana"}]}, {"nameIdentifiers": [{"nameIdentifier": "26915", "nameIdentifierScheme": "WEKO"}], "names": [{"name": "Sasai,  K."}]}, {"nameIdentifiers": [{"nameIdentifier": "26916", "nameIdentifierScheme": "WEKO"}], "names": [{"name": "Kitagata,  G."}]}]}, "item_21_link_62": {"attribute_name": "研究者情報", "attribute_value_mlt": [{"subitem_link_text": "https://hyokadb02.jimu.kyutech.ac.jp/html/371_ja.html", "subitem_link_url": "https://hyokadb02.jimu.kyutech.ac.jp/html/371_ja.html"}]}, "item_21_publisher_7": {"attribute_name": "出版者", "attribute_value_mlt": [{"subitem_publisher": "IEEE"}]}, "item_21_relation_12": {"attribute_name": "DOI", "attribute_value_mlt": [{"subitem_relation_type": "isIdenticalTo", "subitem_relation_type_id": {"subitem_relation_type_id_text": "https://doi.org/10.1109/ACCESS.2019.2944203", "subitem_relation_type_select": "DOI"}}]}, "item_21_rights_13": {"attribute_name": "権利", "attribute_value_mlt": [{"subitem_rights": "This work is licensed under a Creative Commons Attribution 4.0 License. http://creativecommons.org/licenses/by/4.0/"}]}, "item_21_select_59": {"attribute_name": "査読の有無", "attribute_value_mlt": [{"subitem_select_item": "yes"}]}, "item_21_source_id_8": {"attribute_name": "ISSN", "attribute_value_mlt": [{"subitem_source_identifier": "2169-3536", "subitem_source_identifier_type": "ISSN"}]}, "item_21_subject_16": {"attribute_name": "日本十進分類法", "attribute_value_mlt": [{"subitem_subject": "547", "subitem_subject_scheme": "NDC"}]}, "item_21_text_28": {"attribute_name": "論文ID（連携）", "attribute_value_mlt": [{"subitem_text_value": "10350174"}]}, "item_21_text_36": {"attribute_name": "著者所属", "attribute_value_mlt": [{"subitem_text_value": "Kyushu Institute of Technology, Kitakyushu 804-8550, Japan"}, {"subitem_text_value": "Kyushu Institute of Technology, Kitakyushu 804-8550, Japan"}, {"subitem_text_value": "Kyushu Institute of Technology, Kitakyushu 804-8550, Japan"}, {"subitem_text_value": "Graduate School of Science and Engineering, Ibaraki University, Hitachi 316-8511, Japan"}, {"subitem_text_value": "Research Institute of Electrical Communication, Tohoku University, Sendai 980-8577, Japan"}]}, "item_21_text_63": {"attribute_name": "連携ID", "attribute_value_mlt": [{"subitem_text_value": "8133"}]}, "item_21_version_type_58": {"attribute_name": "著者版フラグ", "attribute_value_mlt": [{"subitem_version_resource": "http://purl.org/coar/version/c_970fb48d4fbd8a85", "subitem_version_type": "VoR"}]}, "item_creator": {"attribute_name": "著者", "attribute_type": "creator", "attribute_value_mlt": [{"creatorAffiliations": [{"affiliationNameIdentifiers": [], "affiliationNames": [{"affiliationName": "", "affiliationNameLang": "ja"}]}], "creatorNames": [{"creatorName": "Sato, Akihiro", "creatorNameLang": "en"}, {"creatorName": "佐藤, 彰洋", "creatorNameLang": "ja"}, {"creatorName": "サトウ, アキヒロ", "creatorNameLang": "ja-Kana"}], "familyNames": [{"familyName": "Sato", "familyNameLang": "en"}, {"familyName": "佐藤", "familyNameLang": "ja"}, {"familyName": "サトウ", "familyNameLang": "ja-Kana"}], "givenNames": [{"givenName": "Akihiro", "givenNameLang": "en"}, {"givenName": "彰洋", "givenNameLang": "ja"}, {"givenName": "アキヒロ", "givenNameLang": "ja-Kana"}], "nameIdentifiers": [{"nameIdentifier": "27948", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "30609376", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000030609376"}, {"nameIdentifier": "55437344000", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=55437344000"}, {"nameIdentifier": "0000-0003-3178-1041", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0003-3178-1041"}, {"nameIdentifier": "100000049", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/100000049_ja.html"}]}, {"creatorAffiliations": [{"affiliationNameIdentifiers": [], "affiliationNames": [{"affiliationName": "", "affiliationNameLang": "ja"}]}], "creatorNames": [{"creatorName": "Nakamura, Yutaka", "creatorNameLang": "en"}, {"creatorName": "中村, 豊", "creatorNameLang": "ja"}, {"creatorName": "ナカムラ, ユタカ", "creatorNameLang": "ja-Kana"}], "familyNames": [{"familyName": "Nakamura", "familyNameLang": "en"}, {"familyName": "中村", "familyNameLang": "ja"}, {"familyName": "ナカムラ", "familyNameLang": "ja-Kana"}], "givenNames": [{"givenName": "Yutaka", "givenNameLang": "en"}, {"givenName": "豊", "givenNameLang": "ja"}, {"givenName": "ユタカ", "givenNameLang": "ja-Kana"}], "nameIdentifiers": [{"nameIdentifier": "8847", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "40346317", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000040346317"}, {"nameIdentifier": "56393278900", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=56393278900"}, {"nameIdentifier": "367", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/367_ja.html"}]}, {"creatorAffiliations": [{"affiliationNameIdentifiers": [], "affiliationNames": [{"affiliationName": "", "affiliationNameLang": "ja"}]}], "creatorNames": [{"creatorName": "Fukuda, Yutaka", "creatorNameLang": "en"}, {"creatorName": "福田, 豊", "creatorNameLang": "ja"}, {"creatorName": "フクダ, ユタカ", "creatorNameLang": "ja-Kana"}], "familyNames": [{"familyName": "Fukuda", "familyNameLang": "en"}, {"familyName": "福田", "familyNameLang": "ja"}, {"familyName": "フクダ", "familyNameLang": "ja-Kana"}], "givenNames": [{"givenName": "Yutaka", "givenNameLang": "en"}, {"givenName": "豊", "givenNameLang": "ja"}, {"givenName": "ユタカ", "givenNameLang": "ja-Kana"}], "nameIdentifiers": [{"nameIdentifier": "24131", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "90372763", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000090372763"}, {"nameIdentifier": "35811871400", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=35811871400"}, {"nameIdentifier": "0000-0003-0430-0871", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0003-0430-0871"}, {"nameIdentifier": "371", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/371_ja.html"}]}, {"creatorNames": [{"creatorName": "Sasai,  Kazuto"}], "nameIdentifiers": [{"nameIdentifier": "26910", "nameIdentifierScheme": "WEKO"}]}, {"creatorNames": [{"creatorName": "Kitagata,  Gen"}], "nameIdentifiers": [{"nameIdentifier": "26911", "nameIdentifierScheme": "WEKO"}]}]}, "item_files": {"attribute_name": "ファイル情報", "attribute_type": "file", "attribute_value_mlt": [{"accessrole": "open_date", "date": [{"dateType": "Available", "dateValue": "2020-03-02"}], "displaytype": "detail", "download_preview_message": "", "file_order": 0, "filename": "ACCESS.2019.2944203.pdf", "filesize": [{"value": "7.8 MB"}], "format": "application/pdf", "future_date_message": "", "is_thumbnail": false, "licensetype": "license_free", "mimetype": "application/pdf", "size": 7800000.0, "url": {"label": "ACCESS.2019.2944203.pdf", "url": "https://kyutech.repo.nii.ac.jp/record/6421/files/ACCESS.2019.2944203.pdf"}, "version_id": "169d94e6-4481-4adc-bbd3-88902252401c"}]}, "item_language": {"attribute_name": "言語", "attribute_value_mlt": [{"subitem_language": "eng"}]}, "item_resource_type": {"attribute_name": "資源タイプ", "attribute_value_mlt": [{"resourcetype": "journal article", "resourceuri": "http://purl.org/coar/resource_type/c_6501"}]}, "item_title": "A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists", "item_titles": {"attribute_name": "タイトル", "attribute_value_mlt": [{"subitem_title": "A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists"}]}, "item_type_id": "21", "owner": "3", "path": ["24"], "permalink_uri": "http://hdl.handle.net/10228/00007631", "pubdate": {"attribute_name": "公開日", "attribute_value": "2020-03-02"}, "publish_date": "2020-03-02", "publish_status": "0", "recid": "6421", "relation": {}, "relation_version_is_last": true, "title": ["A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists"], "weko_shared_id": 3}

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

http://hdl.handle.net/10228/00007631

名前 / ファイル	ライセンス	アクション
ACCESS.2019.2944203.pdf (7.8 MB)

Item type

学術雑誌論文 = Journal Article(1)

公開日

2020-03-02

資源タイプ

資源タイプ識別子

http://purl.org/coar/resource_type/c_6501

資源タイプ

journal article

タイトル

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

言語

eng

著者

佐藤, 彰洋

WEKO 27948
e-Rad 30609376
Scopus著者ID 55437344000
ORCiD 0000-0003-3178-1041
九工大研究者情報 100000049

en	Sato, Akihiro
ja	佐藤, 彰洋
ja-Kana	サトウ, アキヒロ

Search repository

中村, 豊

WEKO 8847
e-Rad 40346317
Scopus著者ID 56393278900
九工大研究者情報 367

en	Nakamura, Yutaka
ja	中村, 豊
ja-Kana	ナカムラ, ユタカ

Search repository

福田, 豊

WEKO 24131
e-Rad 90372763
Scopus著者ID 35811871400
ORCiD 0000-0003-0430-0871
九工大研究者情報 371

en	Fukuda, Yutaka
ja	福田, 豊
ja-Kana	フクダ, ユタカ

Search repository

Sasai, Kazuto

Kitagata, Gen

抄録

内容記述タイプ

Abstract

内容記述

Some of the most serious security threats facing computer networks involve malware. To prevent this threat, administrators need to swiftly remove the infected machines from their networks. One common way to detect infected machines in a network is by monitoring communications based on blacklists. However, detection using this method has the following two problems: no blacklist is completely reliable, and blacklists do not provide sufficient evidence to allow administrators to determine the validity and accuracy of the detection results. Therefore, simply matching communications with blacklist entries is insufficient, and administrators should pursue their detection causes by investigating the communications themselves. In this paper, we propose an approach for classifying malicious DNS queries detected through blacklists by their causes. This approach is motivated by the following observation: a malware communication is divided into several transactions, each of which generates queries related to the malware; thus, surrounding queries that occur before and after a malicious query detected through blacklists help in estimating the cause of the malicious query. Our cause-based classification drastically reduces the number of malicious queries to be investigated because the investigation scope is limited to only representative queries in the classification results. In experiments, we have confirmed that our approach could group 388 malicious queries into 3 clusters, each consisting of queries with a common cause. These results indicate that administrators can briefly pursue all the causes by investigating only representative queries of each cluster, and thereby swiftly address the problem of infected machines in the network.

書誌情報

IEEE Access

巻 7, p. 142991-143001, 発行日 2019-09-27

出版社

出版者

IEEE

DOI

Versions

Ver.1

2023-05-15 12:54:33.918611

Show All versions

Cite as

エクスポート

OAI-PMH

JPCOAR
DublinCore
DDI

Other Formats

JSON
BIBTEX

インデックスリンク

インデックスツリー

アイテム

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

× 佐藤, 彰洋

× 中村, 豊

× 福田, 豊

× Sasai, Kazuto

× Kitagata, Gen

Versions

Share

Cite as

エクスポート