Winning with DNS Failures: Strategies for Faster Botnet Detection [chapter]

Sandeep Yadav, A. L. Narasimha Reddy
2012 Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering  
Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, we present techniques where the failed domain queries (NXDOMAIN) may be utilized for: (i) Speeding up the present detection strategies which rely only on successful DNS domains. (ii) Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful
more » ... failed domains. We apply our technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate our methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%. Our technique can be applied at the edge of an autonomous system for real-time detection.
doi:10.1007/978-3-642-31909-9_26 fatcat:upg7jzxtxjhf3ars4chpvqtovu