Detection of Algorithmically Generated Domain Names in Botnets

  • Deepak Kumar Vishvakarma
  • Ashutosh BhatiaEmail author
  • Zdenek Riha
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 926)


Botnets pose a major threat to the information security of organizations and individuals. The bots (malware infected hosts) receive commands and updates from the Command and Control (C&C) servers, and hence, contacting and communicating with these servers is an essential requirement of bots. However, once a malware is identified in the infected host, it is easy to find its C&C server and block it, if the domain names of the servers are hard-coded in the malware. To counter such detection, many malwares families use probabilistic algorithms known as domain generation algorithms (DGAs) to generate domain names for the C&C servers. This makes it difficult to track down the C&C servers of the Botnet even after the malware is identified. In this paper, we propose a probabilistic approach for the identification of domain names which are likely to be generated by a malware using DGA. The proposed solution is based on the hypothesis that human generated domain names are usually inspired by the words from a particular language (say English), whereas DGA generated domain names should contain random sub-strings in it. Results show that the percentage of false negatives in the detection of DGA generated domain names using the proposed method is less than 29% across 30 DGA families considered by us in our experimentation.


Domain name system Domain generations algorithms Botnets Command and control servers 


  1. 1.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Security, pp. 635–647 (2009)Google Scholar
  2. 2.
    Barabosch, T., Wichmann, A., Leder, F., Gerhards-Padilla, E.: Automatic extraction of domain name generation algorithms from current malwareGoogle Scholar
  3. 3.
    Panda Security: Pandalabs annual Report - 2015 summary (2016)Google Scholar
  4. 4.
    Yin, H., Song, D.: Panorama: capturing System-wise information flow for malware detection and analysis. In: CCS 2007, Alexandra, Virginia, USA, 29 November–2 November 2007 (2007)Google Scholar
  5. 5.
    Kolbitsch, C., Holz, T., Kruegel, C., Kirda, E.: Inspector gadget: automated extraction of proprietary gadgets from malware binaries. In: Security and Privacy, pp. 29–44 (2010)Google Scholar
  6. 6.
    Caballero, J., Johnson, N.M., Mccamant, S., Song, D.: Binary code extraction and interface identification for security applications. Electr. Eng. (2009)Google Scholar
  7. 7.
    Yadav, S., Reddy, A., Reddy, A.: Detecting algorithmically generated malicious domain names. In: IMC 2010 (2010)Google Scholar
  8. 8.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M., Antipolis, S.: Exposure: finding malicious domains using passive DNS analysis. In: 18th Annual Network and Distributed System Security Symposium, pp. 1–17 (2011)Google Scholar
  9. 9.
    Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proceedings of the 19th Conference on Security, USENIX Security 2010, p. 18 (2010)Google Scholar
  10. 10.
    Burr, W., Dodson, D., Polk, W.: Electronic authentication guideline. NIST Special publication 800-63 (2004)Google Scholar
  11. 11.
  12. 12.
    Sharifnya, R., Abadi, M.: A novel reputation system to detect DGA-based botnets. In: Proceedings 2013 ANR (2013)Google Scholar
  13. 13.
    Yadav, S., Reddy, A.K.K., Reddy, A.L.N., Ranjan, S.: Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20, 1663–1677 (2012)CrossRefGoogle Scholar
  14. 14.
    Li, R., Vitanyi, P.: An Introduction to Kolmogorov Complexity and Its Applications. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  15. 15.
    Royal, P.: On the Kraken and Bobax botnets (2008). Accessed 06 Aug 2012
  16. 16.
    Leder, F., Werner, T.: Know your enemy: containing conficker. The Honeynet Project (2009)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Deepak Kumar Vishvakarma
    • 1
  • Ashutosh Bhatia
    • 2
    Email author
  • Zdenek Riha
    • 3
  1. 1.Center for Artificial Intelligence and Robotics, CAIRBangaloreIndia
  2. 2.Department of Computer ScienceBITSPilaniIndia
  3. 3.Faculty of InformaticsMasaryk UniversityBrnoCzech Republic

Personalised recommendations