Detecting algorithmically generated malicious domain names

@inproceedings{Yadav2010DetectingAG,
  title={Detecting algorithmically generated malicious domain names},
  author={Sandeep Yadav and Ashwath Kumar Krishna Reddy and A. L. Narasimha Reddy and Supranamaya Ranjan},
  booktitle={ACM/SIGCOMM Internet Measurement Conference},
  year={2010}
}
Recent Botnets such as Conficker, Kraken and Torpig have used DNS based "domain fluxing" for command-and-control, where each Bot queries for existence of a series of domain names and the owner has to register only one such domain name. In this paper, we develop a methodology to detect such "domain fluxes" in DNS traffic by looking for patterns inherent to domain names that are generated algorithmically, in contrast to those generated by humans. In particular, we look at distribution of… 

Figures and Tables from this paper

DGA-Based Botnet Detection Using DNS Traffic

This paper presents a new technique to detect DGAs using DNS NXDomain traffic, and shows that this method is of good effectiveness on detecting algorithmically generated domains used by botnets.

Detecting bot-infected machines based on analyzing the similar periodic DNS queries

This paper presents a method based on analyzing the similar periodic time intervals series of DNS queries to identify DGA-bot infected machines and applies a hierarchical clustering algorithm to cluster high similar domain names.

Winning with DNS Failures: Strategies for Faster Botnet Detection

This paper applies the XDOMAIN technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate the methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%.

Kindred domains: detecting and clustering botnet domains using DNS traffic

This paper proposes to analyze domain name system (DNS) traffic, such as Non-Existent Domain (NXDomain) queries, at several premier Top Level Domain (TLD) authoritative name servers to identify strongly connected cliques of malware related domains.

Detection of Algorithmically Generated Malicious Domain

An approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names is presented, showing that domain names made up of English characters “a-z” achieving a weighted score of < 45 are often associated with DGA.

PsyBoG: A scalable botnet detection method for large-scale DNS traffic

Tracking and Characterizing Botnets Using Automatically Generated Domains

This work proposes a mechanism that overcomes the above limitations by analyzing DNS traffic data through a combination of linguistic and IP-based features of suspicious domains, and is able to identify AGD names, characterize their DGAs and isolate logical groups of domains that represent the respective botnets.

DNS Traffic Analysis for Network-based Malware Detection

Botnets are generally recognized as one of the most challenging threats on the Internet today. Botnets have been involved in many attacks targeting multinational organizations and even nationwide

Detecting the DGA-Based Malicious Domain Names

The hierarchical characteristic is introduced into the detection process, dividing the domain name into distinct levels and calculating the characteristic value separately, and the accuracy of the level-based method is higher than 94 %.

From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware

A new technique to detect randomly generated domains without reversing is presented, finding that most of the DGA-generated domains that a bot queries would result in Non-Existent Domain (NXDomain) responses, and that bots from the same bot-net (with the same DGA algorithm) would generate similar NXDomain traffic.
...

References

SHOWING 1-10 OF 33 REFERENCES

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection

This paper presents a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C &C server names/addresses).

BotGraph: Large Scale Spamming Botnet Detection

A novel system called BotGraph is designed and implemented to detect a new type of botnet spamming attacks targeting major Web email providers and uncovers the correlations among botnet activities by constructing large user-user graphs and looking for tightly connected subgraph components.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces

A novel, passive approach based on passive analysis of recursive DNS traffic traces collected from multiple large networks able to detect malicious flux service networks in-the-wild, i.e., as they are accessed by users who fall victims of malicious content advertised through blog spam, instant messaging spam, social website spam, etc., beside email spam.

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic

This paper proposes an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C &C server addresses, and shows that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.

FluXOR: Detecting and Monitoring Fast-Flux Service Networks

FluXOR monitoring and detection strategies entirely rely on the analysis of a set of features observable from the point of view of a victim of the scams perpetrated thorough botnets, a system to detect and monitor fast-flux service networks.

Studying Spamming Botnets Using Botlab

It is found that six botnets are responsible for 79% of spam messages arriving at the UW campus, and defensive tools that take advantage of the Botlab platform to improve spam filtering and protect users from harmful web sites advertised within botnet-generated spam are presented.

Spamming botnets: signatures and characteristics

An in-depth analysis of the identified botnets revealed several interesting findings regarding the degree of email obfuscation, properties of botnet IP addresses, sending patterns, and their correlation with network scanning traffic.

Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

In a case study, the Storm Worm botnet is examined in detail, the most wide-spread P2P botnet currently propagating in the wild, and two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet are presented.

Beyond blacklists: learning to detect malicious web sites from suspicious URLs

This paper describes an approach to this problem based on automated URL classification, using statistical methods to discover the tell-tale lexical and host-based properties of malicious Web site URLs.

Dynamics of Online Scam Hosting Infrastructure

It is found that, unlike the short-lived nature of the scams themselves, the infrastructure that hosts these scams has relatively persistent features that may ultimately assist detection.