Detecting algorithmically generated malicious domain names Conference Paper uri icon

abstract

  • Recent Botnets such as Conficker, Kraken and Torpig have used DNS based "domain fluxing" for command-and-control, where each Bot queries for existence of a series of domain names and the owner has to register only one such domain name. In this paper, we develop a methodology to detect such "domain fluxes" in DNS traffic by looking for patterns inherent to domain names that are generated algorithmically, in contrast to those generated by humans. In particular, we look at distribution of alphanumeric characters as well as bigrams in all domains that are mapped to the same set of IP-addresses. We present and compare the performance of several distance metrics, including KL-distance, Edit distance and Jaccard measure. We train by using a good data set of domains obtained via a crawl of domains mapped to all IPv4 address space and modeling bad data sets based on behaviors seen so far and expected. We also apply our methodology to packet traces collected at a Tier-1 ISP and show we can automatically detect domain fluxing as used by Conficker botnet with minimal false positives. Copyright 2010 ACM.

name of conference

  • the 10th annual conference

published proceedings

  • Proceedings of the 10th annual conference on Internet measurement - IMC '10

altmetric score

  • 3

author list (cited authors)

  • Yadav, S., Reddy, A., Reddy, A., & Ranjan, S

citation count

  • 224

complete list of authors

  • Yadav, Sandeep||Reddy, Ashwath Kumar Krishna||Reddy, AL Narasimha||Ranjan, Supranamaya

editor list (cited editors)

  • Allman, M.

publication date

  • January 2010