Research Article
Winning with DNS Failures: Strategies for Faster Botnet Detection
@INPROCEEDINGS{10.1007/978-3-642-31909-9_26, author={Sandeep Yadav and A. Reddy}, title={Winning with DNS Failures: Strategies for Faster Botnet Detection}, proceedings={Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers}, proceedings_a={SECURECOMM}, year={2012}, month={10}, keywords={Botnet Domain-fluxing DNS Failures}, doi={10.1007/978-3-642-31909-9_26} }
- Sandeep Yadav
A. Reddy
Year: 2012
Winning with DNS Failures: Strategies for Faster Botnet Detection
SECURECOMM
Springer
DOI: 10.1007/978-3-642-31909-9_26
Abstract
Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, we present techniques where the failed domain queries (NXDOMAIN) may be utilized for: (i) Speeding up the present detection strategies which rely only on successful DNS domains. (ii) Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful and failed domains. We apply our technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate our methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%. Our technique can be applied at the edge of an autonomous system for real-time detection.