Skip to main content
Log in

A survey of botnet detection based on DNS

  • Review
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

Abstract

Botnet is a thorny and a grave problem of today’s Internet, resulting in economic damage for organizations and individuals. Botnet is a group of compromised hosts running malicious software program for malicious purposes, known as bots. It is also worth mentioning that the current trend of botnets is to hide their identities (i.e., the command and control server) using the DNS services to hinder their identification process. Fortunately, different approaches have been proposed and developed to tackle the problem of botnets; however, the problem still rises and emerges causing serious threat to the cyberspace-based businesses and individuals. Therefore, this paper comes up to explore the various botnet detection techniques through providing a survey to observe the current state of the art in the field of botnet detection techniques based on DNS traffic analysis. To the best of our knowledge, this is the first survey to discuss DNS-based botnet detection techniques in which the problems, existing solutions and the future research direction in the field of botnet detection based on DNS traffic analysis for effective botnet detection mechanisms in the future are explored and clarified.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Stevanovic M, Revsbech K, Pedersen JM, Sharp R, Jensen CD (2012) A collaborative approach to botnet protection. In: Quirchmayr G, Basl J, You I, Xu L, Weippl E (eds) International Cross-Domain Conference and Workshop on Availability, Reliability, and Security (CD-ARES 2012), pp 624–638  

  2. Stevanovic M, Pedersen JM (2013) Machine learning for identifying botnet network traffic, Technical report, Aalborg University  

  3. Alomari E, Manickam S, Gupta B, Karuppayah S, Alfaris R (2012) Botnet-based distributed denial of service (DDoS) attacks on web servers: classification and art. arXiv preprint arXiv:12080403

  4. Lu W, Rammidi G, Ghorbani AA (2011) Clustering botnet communication traffic based on n-gram feature selection. Comput Commun 34(3):502–514

    Article  Google Scholar 

  5. McAfee. (2015) McAfee labs threats report. Accessed 18 May 2015. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2014.pdf

  6. Karim A, Salleh RB, Shiraz M, Shah SAA, Awan I, Anuar NB (2014) Botnet detection techniques: review, future trends, and issues. J Zhejiang Univ Sci C 15(11):943–983

  7. Yukonhiatou C, Kittitornkun S, Kikuchi H, Sisaat K, Terada M, Ishii H (2014) Temporal behaviors of Top-10 malware download in 2010–2012. In: 2014 International on electrical engineering congress (iEECON). IEEE, pp 1–4

  8. Tiirmaa-Klaar H, Gassen J, Gerhards-Padilla E, Martini P (2013) Botnets: how to fight the ever-growing threat on a technical level. In: Tiirmaa-Klaar H et al. (eds) Botnets. Springer, London, pp 41–97

  9. Harris KD, General A, Lookout A (2014) Cybersecurity in the Golden State. http://napi.net-flow.com/sananselmochamber.org/documents/CybersecurityReport.pdf

  10. Botnets101- (2013) What they are and how to avoid them. http://www.fbi.gov/news/news_blog/botnets-101/

  11. Emre Y (2011) A literature survey about recent botnet trends. http://geant3.archive.geant.net/Media_Centre/Media_Library/Media%20Library/botnet_trends_M2.pdf

  12. Tiirmaa-Klaar H, Gassen J, Gerhards-Padilla E, Martini P (2013) Botnets, cybercrime and national security. In: Botnets, SpringerBriefs in Cybersecurity. Springer, London, pp 1–40

  13. Shan G, Wang Y, Xie M, Lv H, Chi X (2014) Visual detection of anomalies in DNS query log data. In: 2014 IEEE Pacific visualization symposium (PacificVis). IEEE, pp 258–261

  14. Davuth N, Kim S-R (2013) Classification of malicious domain names using support vector machine and Bi-gram method. Int J Secur Its Appl 7(1):51–58

    Google Scholar 

  15. He Y, Zhong Z, Krasser S, Tang Y (2010) Mining DNS for malicious domain registrations. In: 2010 6th International conference on collaborative computing: networking, applications and worksharing (CollaborateCom). IEEE, pp 1–6

  16. Manasrah AM, Hasan A, Abouabdalla OA, Ramadass S (2009) Detecting botnet activities based on abnormal DNS traffic. arXiv preprint arXiv:09110487

  17. Rodríguez-Gómez RA, Maciá-Fernández G, García-Teodoro P (2013) Survey and taxonomy of botnet research through life-cycle. ACM Comput Surv (CSUR) 45(4):45

    Article  Google Scholar 

  18. Choi H, Lee H, Lee H, Kim H (2007) Botnet detection by monitoring group activities in DNS traffic. In: 7th IEEE international conference on computer and information technology, 2007 (CIT 2007). IEEE, pp 715–720

  19. Bilge L, Sen S, Balzarotti D, Kirda E, Kruegel C (2014) EXPOSURE: a passive DNS analysis service to detect and report malicious domains. ACM Trans Inf Syst Secur (TISSEC) 16(4):14

    Article  Google Scholar 

  20. Bilge L, Kirda E, Kruegel C, Balduzzi M (2011) EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS

  21. ALmomani A, Gupta B, Wan T-C, Altaher A, Manickam S (2013) Phishing dynamic evolving neural fuzzy framework for online detection zero-day phishing email. arXiv preprint arXiv:13020629

  22. Al-Mo AAD, Wan T-C, Al-Saedi K, Altaher A, Ramadass S, Manasrah A, Melhiml LB, Anbar M (2011) An online model on evolving phishing e-mail detection and classification method. J Appl Sci 11(18):3301–3307

  23. Kirubavathi G, Anitha R (2014) Botnets: a study and analysis. In: Krishnan GSS, Anitha R, Lekshmi RS, Senthil Kumar M, Bonato A, Graña M (eds) Computational intelligence, cyber security and computational models. Springer, India, pp 203–214

  24. Zeidanloo HR, Shooshtari MJZ, Amoli PV, Safari M, Zamani M (2010) A taxonomy of botnet detection techniques. In: 2010 3rd IEEE international conference on computer science and information technology (ICCSIT). IEEE, pp 158–162

  25. Abu Rajab M, Zarfoss J, Monrose F, Terzis A (2006) A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement. ACM, pp 41–52

  26. Abdullah RS, Abdollah MF, Noh ZAM, Mas’ud MZ, Selamat SR, Yusof R, Melaka UTM (2013) Revealing the criterion on botnet detection technique. IJCSI Int J Comput Sci Issues 10(2):208–215

    Google Scholar 

  27. Liu L, Chen S, Yan G, Zhang Z (2008) Bottracer: execution-based bot-like malware detection. In: Wu T-C, Lei C-L, Rijmen V, Lee D-T (eds) Information security. Springer, Berlin, Heidelberg, pp 97–113

  28. Feily M, Shahrestani A, Ramadass S (2009) A survey of botnet and botnet detection. In: Third international conference on emerging security information, systems and technologies, 2009 (SECURWARE’09). IEEE, pp 268–273

  29. Jing L, Yang X, Kaveh G, Hongmei D, Jingyuan Z (2009) Botnet: classification, attacks, detection, tracing, and preventive measures. EURASIP journal on wireless communications and networking, IEEE Computer Society, Vol. 2009, pp 1184–1187

  30. Khattak S, Ramay NR, Khan KR, Syed A, Khayam SA (2014) A taxonomy of botnet behavior, detection, and defense. In: Hossain E (ed) Communications surveys and tutorials, 16(2). IEEE, pp 898–924

  31. Silva SS, Silva RM, Pinto RC, Salles RM (2013) Botnets: a survey. Comput Netw 57(2):378–403

    Article  Google Scholar 

  32. Weimer F (2005) Passive DNS replication. In: FIRST conference on computer security incident, p 98

  33. Zdrnja B, Brownlee N, Wessels D (2007) Passive monitoring of DNS anomalies. In: Sommer R, Hammerli B (eds) Detection of intrusions and malware, and vulnerability assessment. Springer, Berlin, Heidelberg, pp 129–139

  34. Janbeglou M, Naderi H, Brownlee N (2014) Effectiveness of DNS-based security approaches in large-scale networks. In: 2014 28th International conference on advanced information networking and applications workshops (WAINA). IEEE, pp 524–529

  35. Dagon D, Zou CC, Lee W (2006) Modeling botnet propagation using time zones. In: NDSS, pp 2–13

  36. Oberheide J, Karir M, Mao ZM (2007) Characterizing dark DNS behavior. In: Hämmerli BM, Sommer R (eds) Detection of intrusions and malware, and vulnerability assessment. Springer, Berlin, Heidelberg, pp 140–156

  37. Li Z, Goyal A, Chen Y, Paxson V (2009) Automating analysis of large-scale botnet probing events. In: Proceedings of the 4th international symposium on information, computer, and communications security. ACM, pp 11–22

  38. Rieck K, Schwenk G, Limmer T, Holz T, Laskov P (2010) Botzilla: detecting the phoning home of malicious software. In: Proceedings of the 2010 ACM symposium on applied computing. ACM, pp 1978–1984

  39. Pham V-H, Dacier M (2011) Honeypot trace forensics: the observation viewpoint matters. Future Gen Comput Syst 27(5):539–546

    Article  Google Scholar 

  40. Aiello M, Mongelli M, Papaleo G (2014) DNS tunneling detection through statistical fingerprints of protocol messages and machine learning. Int J Commun Syst 28(14):1987–2002

  41. Aiello M, Mongelli M, Papaleo G (2014) Supervised learning approaches with majority voting for DNS tunneling detection. In: International joint conference SOCO’14–CISIS’14–ICEUTE’14. Springer, Berlin, pp 463–472

  42. Panimalar P, Rameshkumar K (2014) A review on taxonomy of botnet detection. In: 2014 International conference on advances in engineering and technology (ICAET). IEEE, pp 1–4

  43. Li C, Jiang W, Zou X (2009) Botnet: survey and case study. In: 2009 Fourth International Conference on Innovative computing, information and control (ICICIC). IEEE, pp 1184–1187

  44. Vania J, Meniya A, Jethva H (2013) A review on botnet and detection technique. Int J Comput Trends Technol 4(1):23–29

    Google Scholar 

  45. Gu G, Porras PA, Yegneswaran V, Fong MW, Lee W (2007) BotHunter: detecting malware infection through IDS-driven dialog correlation. In: Usenix security, pp 1–16

  46. Nechaev B, Gurtov A (2013) Classification of botnet detection techniques. Helsinki Institute for Information Technology HIIT

  47. SNORT. www.snort.org

  48. Ramachandran A, Feamster N, Dagon D (2006) Revealing botnet membership using DNSBL counter-intelligence. In: Proceedings of the 2nd USENIX steps to reducing unwanted traffic on the Internet, pp 49–54

  49. Oro D, Luna J, Felguera T, Vilanova M, Serna J (2010) Benchmarking IP blacklists for financial botnet detection. In: 2010 Sixth international conference on information assurance and security (IAS). IEEE, pp 62–67

  50. Sinha S, Bailey M, Jahanian F (2008) Shades of grey: on the effectiveness of reputation-based “blacklists”. In: 3rd International conference on malicious and unwanted software, 2008 (MALWARE 2008), pp 57–64. doi:10.1109/MALWARE.2008.4690858

  51. Antonakakis M, Perdisci R, Dagon D, Lee W, Feamster N (2010) Building a dynamic reputation system for DNS. In: USENIX security symposium, pp 273–290

  52. Kheir N, Tran F, Caron P, Deschamps N (2014) Mentor: positive DNS reputation to skim-off benign domains in botnet C&C blacklists. In: Cuppens-Boulahia N, Cuppens F, Jajodia S, El Kalam AA, Sans T (eds) ICT systems security and privacy protection. Springer, Berlin, Heidelberg, pp 1–14

  53. Yadav S, Reddy AKK, Reddy A, Ranjan S (2010) Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM, pp 48–61

  54. Stinson E, Mitchell JC (2007) Characterizing bots’ remote control behavior. In: Hämmerli BM, Sommer R (eds) Detection of intrusions and malware, and vulnerability assessment. Springer, Berlin, Heidelberg, pp 89–108

  55. Shin S, Xu Z, Gu G (2012) EFFORT: efficient and effective bot malware detection. In: 2012 Proceedings IEEE INFOCOM. IEEE, pp 2846–2850

  56. Rahim A, Bin Muhaya FT (2010) Discovering the botnet detection techniques. In: Kim T-H, Fang W-C, Khurram Khan M, Arnett KP, Kang H-J, Ślęzak D (eds) Security technology, disaster recovery and business continuity. Springer, Berlin, Heidelberg, pp 231–235

  57. Raghava NS, Sahgal D, Chandna S (2012) Classification of botnet detection based on botnet architecture. In: 2012 International conference on communication systems and network technologies (CSNT), pp 569–572. doi:10.1109/csnt.2012.128

  58. Gu G, Yegneswaran V, Porras P, Stoll J, Lee W (2009) Active botnet probing to identify obscure command and control channels. In: Annual computer security applications conference, 2009 (ACSAC’09). IEEE, pp 241–253

  59. Strayer WT, Lapsely D, Walsh R, Livadas C (2008) Botnet detection based on network behavior. In: Lee W, Wang C, Dagon D (eds) Botnet detection. Springer, USA, pp 1–24

  60. Ma X, Zhang J, Li Z, Li J, Tao J, Guan X, Lui JC, Towsley D (2015) Accurate DNS query characteristics estimation via active probing. J Netw Comput Appl 47:72–84

    Article  Google Scholar 

  61. Ma J, Saul LK, Savage S, Voelker GM (2009) Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD international conference on knowledge discovery and data mining. ACM, pp 1245–1254

  62. Holz T, Gorecki C, Rieck K, Freiling FC (2008) Measuring and detecting fast-flux service networks. In: NDSS

  63. Villamarín-Salomón R, Brustoloni JC (2008) Identifying botnets using anomaly detection techniques applied to DNS traffic. In: 5th IEEE consumer communications and networking conference, 2008 (CCNC 2008). IEEE, pp 476–481

  64. Cranor CD, Gansner E, Krishnamurthy B, Spatscheck O (2001) Characterizing large DNS traces using graphs. In: Proceedings of the 1st ACM SIGCOMM workshop on internet measurement. ACM, pp 55–67

  65. Wills CE, Mikhailov M, Shang H (2003) Inferring relative popularity of internet applications by actively querying DNS caches. In: Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement. ACM, pp 78–90

  66. Gardiner J, Cova M, Nagaraja S (2014) Command & control: understanding, denying and detecting. arXiv preprint arXiv:14081136

  67. Qi C, Chen X, Xu C, Shi J, Liu P (2013) A bigram based real time DNS tunnel detection approach. Procedia Comput Sci 17:852–860

    Article  Google Scholar 

  68. Kang BBH (2011) DNS-based botnet detection. In: Encyclopedia of cryptography and security. Springer, USA, pp 362–363

  69. Marko P, Vilhan P (2012) Efficient detection of malicious nodes based on DNS and statistical methods. In: 2012 IEEE 10th international symposium on applied machine intelligence and informatics (SAMI). IEEE, pp 227–230

  70. Hu X, Knysz M, Shin KG (2009) RB-Seeker: auto-detection of redirection botnets. In: NDSS

  71. Choi H, Lee H (2012) Identifying botnets by capturing group activities in DNS traffic. Comput Netw 56(1):20–33

    Article  Google Scholar 

  72. Sanchez F, Duan Z, Dong Y (2012) Blocking spam by separating end‐user machines from legitimate mail server machines. Secur Commun Netw. doi:10.1002/sec.587

  73. Antonakakis M, Perdisci R, Lee W, Vasiloglou N II, Dagon D (2011) Detecting malware domains at the upper DNS hierarchy. In: USENIX security symposium, p 16

  74. Jiang N, Cao J, Jin Y, Li L, Zhang Z-L (2010) Identifying suspicious activities through DNS failure graph analysis. In: 2010 18th IEEE international conference on network protocols (ICNP). IEEE, pp 144–153

  75. Perdisci R, Corona I, Dagon D, Lee W (2009) Detecting malicious flux service networks through passive analysis of recursive DNS traces. In: Annual computer security applications conference, 2009 (ACSAC’09). IEEE, pp 311–320

  76. Jain AK, Murty MN, Flynn PJ (1999) Data clustering: a review. ACM Comput Surv (CSUR) 31(3):264–323

    Article  Google Scholar 

  77. Choi H, Lee H, Kim H (2009) BotGAD: detecting botnets by capturing group activities in network traffic. In: Proceedings of the fourth international ICST conference on COMmunication system softWAre and middlewaRE. ACM, p 2

  78. Huang S-Y, Mao C-H, Lee H-M (2010) Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection. In: Proceedings of the 5th ACM symposium on information, computer and communications security. ACM, pp 101–111

  79. Lin H-T, Lin Y-Y, Chiang J-W (2013) Genetic-based real-time fast-flux service networks detection. Comput Netw 57(2):501–513

    Article  Google Scholar 

  80. Yadav S, Reddy AN (2012) Winning with DNS failures: strategies for faster botnet detection. In: Rajarajan M, Piper F, Wang H, Kesidis G (eds) Security and privacy in communication networks. Springer, Berlin, Heidelberg, pp 446–459

  81. Sharifnya R, Abadi M (2015) DFBotKiller: domain-flux botnet detection based on the history of group activities and failures in DNS traffic. Digit Investig 12:15–26

    Article  Google Scholar 

  82. Zhang Y, Zhang Y, Xiao J (2014) Detecting the DGA-based malicious domain names. In: Yuan Y, Wu X, Lu Y (eds) Trustworthy computing and services. Springer, Berlin, Heidelberg, pp 130–137

  83. Manadhata PK, Yadav S, Rao P, Horne W (2014) Detecting malicious domains via graph inference. In: Kutyłowski M, Vaidya J (eds) Computer security-ESORICS 2014. Springer International Publishing, pp 1–18

  84. Schiavoni S (2013) Finding, characterizing and tracking domain generation algorithms from passive DNS monitoring. http://hdl.handle.net/10589/78505

  85. Stalmans E, Irwin B (2011) A framework for DNS based detection and mitigation of malware infections on a network. In: 2011 Information security South Africa (ISSA). IEEE, pp 1–8

  86. Nogueira A, Salvador P, Blessa F (2010) A botnet detection system based on neural networks. In: 2010 Fifth international conference on digital telecommunications (ICDT). IEEE, pp 57–62

  87. Wang K, Huang C-Y, Lin S-J, Lin Y-D (2011) A fuzzy pattern-based filtering algorithm for botnet detection. Comput Netw 55(15):3275–3286

    Article  Google Scholar 

  88. Wang K, Huang CY, Tsai LY, Lin YD (2014) Behavior-based botnet detection in parallel. Secur Commun Netw 7(11):1849–1859

    Article  Google Scholar 

  89. Eslahi M, Salleh R, Anuar NB (2012) Bots and botnets: an overview of characteristics, detection and challenges. In: 2012 IEEE international conference on control system, computing and engineering (ICCSCE). IEEE, pp 349–354

  90. Davis JJ, Clark AJ (2011) Data preprocessing for anomaly based network intrusion detection: a review. Comput Secur 30(6):353–375

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ammar ALmomani.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alieyan, K., ALmomani, A., Manasrah, A. et al. A survey of botnet detection based on DNS. Neural Comput & Applic 28, 1541–1558 (2017). https://doi.org/10.1007/s00521-015-2128-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00521-015-2128-0

Keywords

Navigation