Detecting Malware Domains: A Cyber-Threat Alarm System

Throughout the years, hackers’ intentions’ varied from curiosity, to financial gains, to political statements. Armed with their botnets, bot masters could crash a server or website. Statistics show that botnet activity accounts for 29% of the Internet traffic. But how can bot masters establish undetected communication with their botnets? The answer lies in the Domain Name System (DNS), using which hackers host their own domain and assign to it changing IP addresses to avoid being detected. In this paper, we propose a multi-factor cyber-threat detection system that relies on DNS traffic analysis for the detection of malicious domains. The proposed system was implemented, and tested, and the results yielded are very promising.

[1]  Heejo Lee,et al.  Botnet Detection by Monitoring Group Activities in DNS Traffic , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[2]  Monther Aldwairi,et al.  Application of artificial bee colony for intrusion detection systems , 2015, Secur. Commun. Networks.

[3]  Felix C. Freiling,et al.  On Botnets That Use DNS for Command and Control , 2011, 2011 Seventh European Conference on Computer Network Defense.

[4]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[5]  Jonathan M. Spring,et al.  Correlating domain registrations and DNS first activity in general and for malware , 2011 .

[6]  Nick Feamster,et al.  Dynamics of Online Scam Hosting Infrastructure , 2009, PAM.

[7]  Monther Aldwairi,et al.  Function and Data Parallelization of Wu-Manber Pattern Matching for Intrusion Detection Systems , 2012, Netw. Protoc. Algorithms.

[8]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[9]  Jonathan M. Spring Large Scale DNS Traffic Analysis of Malicious Internet Activity with a Focus on Evaluating the Response Time of Blocking Phishing Sites , 2010 .

[10]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[11]  Monther Aldwairi,et al.  Exscind: Fast pattern matching for intrusion detection using exclusion and inclusion filters , 2011, 2011 7th International Conference on Next Generation Web Services Practices.

[12]  Monther Aldwairi,et al.  GFlux: A google-based system for Fast Flux detection , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[13]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[14]  Nick Feamster,et al.  Monitoring the initial DNS behavior of malicious domains , 2011, IMC '11.