Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers

Research Article

Winning with DNS Failures: Strategies for Faster Botnet Detection

Download
3009 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-31909-9_26,
        author={Sandeep Yadav and A. Reddy},
        title={Winning with DNS Failures: Strategies for Faster Botnet Detection},
        proceedings={Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2012},
        month={10},
        keywords={Botnet Domain-fluxing DNS Failures},
        doi={10.1007/978-3-642-31909-9_26}
    }
    
  • Sandeep Yadav
    A. Reddy
    Year: 2012
    Winning with DNS Failures: Strategies for Faster Botnet Detection
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-642-31909-9_26
Sandeep Yadav1,*, A. Reddy1,*
  • 1: Texas A&M University
*Contact email: sandeepy@tamu.edu, reddy@ece.tamu.edu

Abstract

Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, we present techniques where the failed domain queries (NXDOMAIN) may be utilized for: (i) Speeding up the present detection strategies which rely only on successful DNS domains. (ii) Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful and failed domains. We apply our technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate our methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%. Our technique can be applied at the edge of an autonomous system for real-time detection.