DGA-Based Botnet Detection Using DNS Traffic

Yonglin Zhou, Qing-Shan Li, Qidi Miao, Kangbin Yim
2013 Journal of Internet Services and Information Security  
In recent years, an increasing number of botnets use Domain Generation Algorithms (DGAs) to bypass botnet detection systems. DGAs, also referred as "domain fluxing", has been used since 2004 for botnet controllers, and now become an emerging trend for malware. It can dynamically and frequently generate a large number of random domain names which are used to prevent security systems from detecting and blocking. In this paper, we present a new technique to detect DGAs using DNS NXDomain traffic.
more » ... NXDomain traffic. Our insight is that every domain name in the domain group generated by one botnet using DGAs is often used for a short period of time, and has similar live time and query style. We look for this pattern in DNS NXDomain traffic to filter out algorithmically generated domains that DGA-based botnets generate. We implemented our protosystem and carry outexperiment at a pilot RDNS of an Internet operator. The results show that our method is of good effectiveness on detecting algorithmically generated domains used by botnet.
doi:10.22667/jisis.2013.11.31.116 dblp:journals/jisis/ZhouLMY13 fatcat:pmch6zecnzf3fc44ch2ujyuxz4