Abstract
Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, we present techniques where the failed domain queries (NXDOMAIN) may be utilized for: (i) Speeding up the present detection strategies which rely only on successful DNS domains. (ii) Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful and failed domains. We apply our technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate our methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%. Our technique can be applied at the edge of an autonomous system for real-time detection.
This work is supported in part by a Qatar National Research Foundation grant, Qatar Telecom, and NSF grants 0702012 and 0621410.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Conficker Working Group, http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/FAQ#toc5
New Technique Spots Sneaky Botnets, http://mobile.darkreading.com/9292/show/4711c9403b772e7281ae08cee69758cc&t=461a4a89abc0a0c761234d11086f5003
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proc. of the 16th USENIX Security Symposium (Security 2007) (August 2007)
Jiang, N., Cao, J., Jin, Y., Li, L.E., Zhang, Z.-L.: Identifying Suspicious Activities Through DNS Failure Graph Analysis. In: IEEE Conference on Network Protocols (2010)
Manning, C.D., Raghavan, P., Schutze, H.: An Information to Information Retrieval. Cambridge University Press (2009)
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C Analysis. Technical report, http://mtc.sri.com/Conficker/addendumC/
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., Lear, E.: Address Allocation for Private Internets (1996), http://www.ietf.org/rfc/rfc1918.txt
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: ACM Conference on Computer and Communications Security (CCS) (November 2009)
VillamarÃn-Salomón, R., Brustoloni, J.C.: Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic. In: Consumer Communications and Networking Conference (2008)
VillamarÃn-Salomón, R., Brustoloni, J.C.: Bayesian Bot Detection Based on DNS Traffic Similarity. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC 2009, pp. 2035–2041. ACM, New York (2009)
Yadav, S., Reddy, A.K.K., Reddy, A.L.N., Ranjan, S.: Detecting Algorithmically Generated Malicious Domain Names. In: Internet Measurement Conference (2010)
Yadav, S., Reddy, A.N.: MiND: Misdirected dNs packet Detector. In: IASTED Computer and Information Security (2010)
Zhu, Z., Yegneswaran, V., Chen, Y.: Using Failure Information Analysis to Detect Enterprise Zombies. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 185–206. Springer, Heidelberg (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Yadav, S., Reddy, A.L.N. (2012). Winning with DNS Failures: Strategies for Faster Botnet Detection. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds) Security and Privacy in Communication Networks. SecureComm 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 96. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31909-9_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-31909-9_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31908-2
Online ISBN: 978-3-642-31909-9
eBook Packages: Computer ScienceComputer Science (R0)