论文信息 - Winning with DNS Failures: Strategies for Faster Botnet Detection

Winning with DNS Failures: Strategies for Faster Botnet Detection

Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, we present techniques where the failed domain queries (NXDOMAIN) may be utilized for: (i) Speeding up the present detection strategies which rely only on successful DNS domains. (ii) Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful and failed domains. We apply our technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate our methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%. Our technique can be applied at the edge of an autonomous system for real-time detection.

Sandeep Yadav | A. L. Narasimha Reddy | A. Reddy | Sandeep Yadav | A. Reddy

[1] Jin Cao,et al. Identifying suspicious activities through DNS failure graph analysis , 2010, The 18th IEEE International Conference on Network Protocols.

[2] Vinod Yegneswaran,et al. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[3] José Carlos Brustoloni,et al. Bayesian bot detection based on DNS traffic similarity , 2009, SAC '09.

[4] Sandeep Yadav,et al. MiND: Misdirected DNS Packet Detector , 2010 .

[5] R. Villamarin-Salomon,et al. Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[6] Sandeep Yadav,et al. Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[7] Yakov Rekhter,et al. Address Allocation for Private Internets , 1994, RFC.

[8] Hinrich Schütze,et al. Introduction to Information Retrieval: Evaluation in information retrieval , 2008 .

[9] Vinod Yegneswaran,et al. Using Failure Information Analysis to Detect Enterprise Zombies , 2009, SecureComm.

[10] Christopher Krügel,et al. Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.