Winning with DNS Failures: Strategies for Faster Botnet Detection
- Additional Document Info
- View All
Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, we present techniques where the failed domain queries (NXDOMAIN) may be utilized for: (i) Speeding up the present detection strategies which rely only on successful DNS domains. (ii) Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful and failed domains. We apply our technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate our methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%. Our technique can be applied at the edge of an autonomous system for real-time detection. 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering.
Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
author list (cited authors)
complete list of authors
Yadav, Sandeep||Reddy, AL Narasimha
editor list (cited editors)
Rajarajan, M., Piper, F., Wang, H., & Kesidis, G.