Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis Academic Article uri icon

abstract

  • Recent botnets such as Conficker, Kraken, and Torpig have used DNS-based domain fluxing for command-and-control, where each Bot queries for existence of a series of domain names and the owner has to register only one such domain name. In this paper, we develop a methodology to detect such domain fluxes in DNS traffic by looking for patterns inherent to domain names that are generated algorithmically, in contrast to those generated by humans. In particular, we look at distribution of alphanumeric characters as well as bigrams in all domains that are mapped to the same set of IP addresses. We present and compare the performance of several distance metrics, including K-L distance, Edit distance, and Jaccard measure. We train by using a good dataset of domains obtained via a crawl of domains mapped to all IPv4 address space and modeling bad datasets based on behaviors seen so far and expected. We also apply our methodology to packet traces collected at a Tier-1 ISP and show we can automatically detect domain fluxing as used by Conficker botnet with minimal false positives, in addition to discovering a new botnet within the ISP trace. We also analyze a campus DNS trace to detect another unknown botnet exhibiting advanced domain-name generation technique. 2012 IEEE.

published proceedings

  • IEEE-ACM TRANSACTIONS ON NETWORKING

altmetric score

  • 6

author list (cited authors)

  • Yadav, S., Reddy, A., Reddy, A., & Ranjan, S.

citation count

  • 153

complete list of authors

  • Yadav, Sandeep||Reddy, Ashwath Kumar Krishna||Reddy, AL Narasimha||Ranjan, Supranamaya

publication date

  • October 2012