Winning with DNS Failures: Strategies for Faster Botnet Detection Conference Paper

abstract

• Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, we present techniques where the failed domain queries (NXDOMAIN) may be utilized for: (i) Speeding up the present detection strategies which rely only on successful DNS domains. (ii) Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful and failed domains. We apply our technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate our methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%. Our technique can be applied at the edge of an autonomous system for real-time detection. 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering.

authors

• Reddy, Narasimha

published proceedings

• Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering

altmetric score

• 3

author list (cited authors)

• Yadav, S., & Reddy, A.

citation count

• 58

complete list of authors

• Yadav, Sandeep||Reddy, AL Narasimha

editor list (cited editors)

• Rajarajan, M., Piper, F., Wang, H., & Kesidis, G.

publication date

• November 2012

publisher

• Springer Nature  Publisher

published in

• Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering  Journal

keywords

• 46 Information And Computing Sciences
• 4605 Data Management And Data Science
• 4606 Distributed Computing And Systems Software

Digital Object Identifier (DOI)

• 10.1007/978-3-642-31909-9_26

International Standard Book Number (ISBN) 13

• 9783642319082

start page

• 446

end page

• 459

volume

• 96

URL

• http://dx.doi.org/10.1007/978-3-642-31909-9_26