Winning with DNS Failures: Strategies for Faster Botnet Detection

Yadav, Sandeep; Reddy, A. L. Narasimha

doi:10.1007/978-3-642-31909-9_26

Sandeep Yadav¹⁹ &
A. L. Narasimha Reddy¹⁹

Part of the book series: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering ((LNICST,volume 96))

Included in the following conference series:

International Conference on Security and Privacy in Communication Systems

1345 Accesses
24 Citations
3 Altmetric

Abstract

Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, we present techniques where the failed domain queries (NXDOMAIN) may be utilized for: (i) Speeding up the present detection strategies which rely only on successful DNS domains. (ii) Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful and failed domains. We apply our technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate our methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%. Our technique can be applied at the edge of an autonomous system for real-time detection.

This work is supported in part by a Qatar National Research Foundation grant, Qatar Telecom, and NSF grants 0702012 and 0621410.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Conficker Working Group, http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/FAQ#toc5
New Technique Spots Sneaky Botnets, http://mobile.darkreading.com/9292/show/4711c9403b772e7281ae08cee69758cc&t=461a4a89abc0a0c761234d11086f5003
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proc. of the 16th USENIX Security Symposium (Security 2007) (August 2007)
Google Scholar
Jiang, N., Cao, J., Jin, Y., Li, L.E., Zhang, Z.-L.: Identifying Suspicious Activities Through DNS Failure Graph Analysis. In: IEEE Conference on Network Protocols (2010)
Google Scholar
Manning, C.D., Raghavan, P., Schutze, H.: An Information to Information Retrieval. Cambridge University Press (2009)
Google Scholar
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C Analysis. Technical report, http://mtc.sri.com/Conficker/addendumC/
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., Lear, E.: Address Allocation for Private Internets (1996), http://www.ietf.org/rfc/rfc1918.txt
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: ACM Conference on Computer and Communications Security (CCS) (November 2009)
Google Scholar
Villamarín-Salomón, R., Brustoloni, J.C.: Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic. In: Consumer Communications and Networking Conference (2008)
Google Scholar
Villamarín-Salomón, R., Brustoloni, J.C.: Bayesian Bot Detection Based on DNS Traffic Similarity. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC 2009, pp. 2035–2041. ACM, New York (2009)
Chapter Google Scholar
Yadav, S., Reddy, A.K.K., Reddy, A.L.N., Ranjan, S.: Detecting Algorithmically Generated Malicious Domain Names. In: Internet Measurement Conference (2010)
Google Scholar
Yadav, S., Reddy, A.N.: MiND: Misdirected dNs packet Detector. In: IASTED Computer and Information Security (2010)
Google Scholar
Zhu, Z., Yegneswaran, V., Chen, Y.: Using Failure Information Analysis to Detect Enterprise Zombies. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 185–206. Springer, Heidelberg (2009)
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

Department of Electrical and Computer Engineering, Texas A&M University, USA
Sandeep Yadav & A. L. Narasimha Reddy

Authors

Sandeep Yadav
View author publications
You can also search for this author in PubMed Google Scholar
A. L. Narasimha Reddy
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

City University London, 10 Northampton Square, EC1V 0HB, London, UK
Muttukrishnan Rajarajan
Royal Holloway University of London, TW20 0EX, Egham Hill, UK
Fred Piper
College of William and Mary, P.O. Box 8795, 23187, Williamsburg, VA, USA
Haining Wang
Pennsylvania State University, 338J IST Buillding, 16802, University Park, PA, USA
George Kesidis

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Yadav, S., Reddy, A.L.N. (2012). Winning with DNS Failures: Strategies for Faster Botnet Detection. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds) Security and Privacy in Communication Networks. SecureComm 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 96. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31909-9_26

Download citation

DOI: https://doi.org/10.1007/978-3-642-31909-9_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31908-2
Online ISBN: 978-3-642-31909-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics