Abstract
A DNS sinkhole system generates, separates, and manages a blacklist of botnets detected via a botnet detection system. Since numerous bots are newly added and bot codes are updated frequently, blacklist management is extremely expensive and it is difficult to update domain names and IP addresses. Further, effectiveness and accuracy are not guaranteed as the priority of botnets is determined and handled on the basis of subjective decisions of security experts. Hence, this study aims to provide a methodology to manage the blacklist by estimating the botnet risk index (BRI) of detected botnets from the perspective of a DNS sinkhole system manager and automatically estimating the risk priority of botnets on the basis of this information. The BRI, which is a normalization equation based on a Euclidean vector concept, is calculated in a number of scenarios, with a single command and control server (C&C) and with multiple C&Cs. The BRI has been defined to provide an intuitive understanding of the degree of danger posed by botnets.
Original language | English |
---|---|
Pages (from-to) | 165-180 |
Number of pages | 16 |
Journal | Information (Japan) |
Volume | 17 |
Issue number | 1 |
Publication status | Published - 2014 Jan |
Keywords
- Blacklist
- Botnet Risk Index (BRI)
- DNS Sinkhole
- Malicious Activity
- Risk Measurement
ASJC Scopus subject areas
- Information Systems