International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I

Research Article

Domain Algorithmically Generated Botnet Detection and Analysis

Download
376 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-23829-6_38,
        author={Xiaolin Xu and Yonglin Zhou and Qingshan Li},
        title={Domain Algorithmically Generated Botnet Detection and Analysis},
        proceedings={International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I},
        proceedings_a={SECURECOMM},
        year={2015},
        month={11},
        keywords={Botnet DNS Algorithmically generated domains Domain-flux},
        doi={10.1007/978-3-319-23829-6_38}
    }
    
  • Xiaolin Xu
    Yonglin Zhou
    Qingshan Li
    Year: 2015
    Domain Algorithmically Generated Botnet Detection and Analysis
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-23829-6_38
Xiaolin Xu,*, Yonglin Zhou1,*, Qingshan Li2,*
  • 1: Computer Emergency Response Team
  • 2: Key Laboratory of Network and Software Security Assurance of Peking University
*Contact email: xxl@cert.org.cn, zyl@cert.org.cn, liqs@pku.edu.cn

Abstract

To detect domains used by botnet and generated by algorithms, a new technique is proposed to analyze the query difference between algorithmically generated domain and legal domain based on a fact that every domain name in the domain group generated by one botnet has similar live time and query style. We look for suspicious domains in DNS traffic, and use change distance to verify these suspicious domains used by botnet. Then we tried to describe botnet change rate and change scope using domain change distance. Through deploying our system at operators’ RDNS, experiments were carried to validate the effectiveness of detection method. The experiment result shows that the method can detect algorithmically generated domains used by botnet.