Name
Abstract | ||
|---|---|---|
Many botnet detection systems employ a blacklist of known command and control (C&C) domains to detect bots and block their traffic. Similar to signature-based virus detection, such a botnet detection approach is static because the blacklist is updated only after running an external (and often manual) process of domain discovery. As a response, botmasters have begun employing domain generation algorithms (DGAs) to dynamically produce a large number of random domain names and select a small subset for actual C&C use. That is, a C&C domain is randomly generated and used for a very short period of time, thus rendering detection approaches that rely on static domain lists ineffective. Naturally, if we know how a domain generation algorithm works, we can generate the domains ahead of time and still identify and block bot-net C&C traffic. The existing solutions are largely based on reverse engineering of the bot malware executables, which is not always feasible. In this paper we present a new technique to detect randomly generated domains without reversing. Our insight is that most of the DGA-generated (random) domains that a bot queries would result in Non-Existent Domain (NXDomain) responses, and that bots from the same bot-net (with the same DGA algorithm) would generate similar NXDomain traffic. Our approach uses a combination of clustering and classification algorithms. The clustering algorithm clusters domains based on the similarity in the make-ups of domain names as well as the groups of machines that queried these domains. The classification algorithm is used to assign the generated clusters to models of known DGAs. If a cluster cannot be assigned to a known model, then a new model is produced, indicating a new DGA variant or family. We implemented a prototype system and evaluated it on real-world DNS traffic obtained from large ISPs in North America. We report the discovery of twelve DGAs. Half of them are variants of known (botnet) DGAs, and the other half are brand new DGAs that have never been reported before. |
Year | Venue | Keywords |
|---|---|---|
2012 | USENIX Security Symposium | static domain,throw-away traffic,domain generation algorithm,c use,domain generation algorithm work,c domain,classification algorithm,domain discovery,c traffic,domain name,dga-based malware,random domain name |
Field | DocType | Citations |
Domain generation algorithm,Botnet,Computer science,Computer security,Reverse engineering,Blacklist,Statistical classification,Cluster analysis,Malware,Executable | Conference | 120 |
PageRank | References | Authors |
4.05 | 17 | 7 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Manos Antonakakis | 1 | 702 | 36.70 |
| Roberto Perdisci | 2 | 2137 | 97.99 |
| Yacin Nadji | 3 | 322 | 15.31 |
| Nikolaos Vasiloglou | 4 | 144 | 8.27 |
| Saeed Abu-Nimeh | 5 | 303 | 16.70 |
| Wenke Lee | 6 | 9351 | 628.83 |
| David Dagon | 7 | 1635 | 131.25 |