부산대학교 도서관

This paper highlights the high noise to signal ratio that DNS traffic poses to network defense’ incident detection and response, and the broader topic of the critical time component required from intrusion detection for actionable security intelligence. Nowhere is this truer than in the monitoring and interception of malware command and control communications hidden amongst benign DNS internet traffic. Global ransomware and malware families were responsible for over 5 billion USD in losses. In 4 days Reaper, a Mirai variant, infected 2.7m nodes. The scale of malware infections outstrips information security blacklisting ability to keep pace. Machine learning techniques, such as CLIP, provide the ability to detect malware traffic to malicious command and control domains with high reliability using lexical properties and semantic patterns in algorithmically generated domain names.