Detecting algorithmically generated malicious domain names

  title={Detecting algorithmically generated malicious domain names},
  author={Sandeep Yadav and Ashwath Kumar Krishna Reddy and A. L. Narasimha Reddy and Supranamaya Ranjan},
  booktitle={IMC '10},
Recent Botnets such as Conficker, Kraken and Torpig have used DNS based "domain fluxing" for command-and-control, where each Bot queries for existence of a series of domain names and the owner has to register only one such domain name. In this paper, we develop a methodology to detect such "domain fluxes" in DNS traffic by looking for patterns inherent to domain names that are generated algorithmically, in contrast to those generated by humans. In particular, we look at distribution of… 

Figures and Tables from this paper

Detecting bot-infected machines based on analyzing the similar periodic DNS queries
This paper presents a method based on analyzing the similar periodic time intervals series of DNS queries to identify DGA-bot infected machines and applies a hierarchical clustering algorithm to cluster high similar domain names.
Kindred domains: detecting and clustering botnet domains using DNS traffic
This paper proposes to analyze domain name system (DNS) traffic, such as Non-Existent Domain (NXDomain) queries, at several premier Top Level Domain (TLD) authoritative name servers to identify strongly connected cliques of malware related domains.
PsyBoG: A scalable botnet detection method for large-scale DNS traffic
Tracking and Characterizing Botnets Using Automatically Generated Domains
This work proposes a mechanism that overcomes the above limitations by analyzing DNS traffic data through a combination of linguistic and IP-based features of suspicious domains, and is able to identify AGD names, characterize their DGAs and isolate logical groups of domains that represent the respective botnets.
DNS Traffic Analysis for Network-based Malware Detection
Botnets are generally recognized as one of the most challenging threats on the Internet today. Botnets have been involved in many attacks targeting multinational organizations and even nationwide
Detecting the DGA-Based Malicious Domain Names
The hierarchical characteristic is introduced into the detection process, dividing the domain name into distinct levels and calculating the characteristic value separately, and the accuracy of the level-based method is higher than 94 %.
From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware
A new technique to detect randomly generated domains without reversing is presented, finding that most of the DGA-generated domains that a bot queries would result in Non-Existent Domain (NXDomain) responses, and that bots from the same bot-net (with the same DGA algorithm) would generate similar NXDomain traffic.
Stealthy Domain Generation Algorithms
  • Yu Fu, Lu Yu, R. Brooks
  • Computer Science
    IEEE Transactions on Information Forensics and Security
  • 2017
Two DGAs that use hidden Markov models (HMMs) and probabilistic context-free grammars (PCFGs) are proposed, respectively, to identify malicious domain names generated by DGAs.
Domain Generation Algorithm Detection Using Machine Learning Methods
This paper surveys different machine learning methods for detecting zero-day DGAs by analyzing only the alphanumeric characteristics of the domain names in the network and proposes unsupervised models, which achieve better results than the compared supervised techniques.
MalPortrait: Sketch Malicious Domain Portraits Based on Passive DNS Data
This work proposes a novel system called MalPortrait, which combines individual features and association information of domains to detect malicious domains, and shows the association information among domains by a domain association graph where vertices represent domains and edges connect domains resolved to the same IP.


Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces
A novel, passive approach based on passive analysis of recursive DNS traffic traces collected from multiple large networks able to detect malicious flux service networks in-the-wild, i.e., as they are accessed by users who fall victims of malicious content advertised through blog spam, instant messaging spam, social website spam, etc., beside email spam.
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
This paper proposes an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C &C server addresses, and shows that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.
FluXOR: Detecting and Monitoring Fast-Flux Service Networks
FluXOR monitoring and detection strategies entirely rely on the analysis of a set of features observable from the point of view of a victim of the scams perpetrated thorough botnets, a system to detect and monitor fast-flux service networks.
Studying Spamming Botnets Using Botlab
It is found that six botnets are responsible for 79% of spam messages arriving at the UW campus, and defensive tools that take advantage of the Botlab platform to improve spam filtering and protect users from harmful web sites advertised within botnet-generated spam are presented.
Spamming botnets: signatures and characteristics
An in-depth analysis of the identified botnets revealed several interesting findings regarding the degree of email obfuscation, properties of botnet IP addresses, sending patterns, and their correlation with network scanning traffic.
Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm
In a case study, the Storm Worm botnet is examined in detail, the most wide-spread P2P botnet currently propagating in the wild, and two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet are presented.
Beyond blacklists: learning to detect malicious web sites from suspicious URLs
This paper describes an approach to this problem based on automated URL classification, using statistical methods to discover the tell-tale lexical and host-based properties of malicious Web site URLs.
Dynamics of Online Scam Hosting Infrastructure
It is found that, unlike the short-lived nature of the scams themselves, the infrastructure that hosts these scams has relatively persistent features that may ultimately assist detection.
Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems
This paper proposes a new approach to construct high speed payload-based anomaly IDS intended to be accurate and hard to evade, and uses a feature clustering algorithm originally proposed for text classification problems to reduce the dimensionality of the feature space.
Measurement and Classification of Humans and Bots in Internet Chat
This paper conducts a series of measurements on a large commercial chat network and proposes a classification system to accurately distinguish chat bots from human users, which shows that human behavior is more complex than bot behavior.