Proceedings Article10.1145/1879141.1879148
Detecting algorithmically generated malicious domain names
Sandeep Yadav,Ashwath Kumar Krishna Reddy,A. L. Narasimha Reddy,Supranamaya Ranjan +3 more
- 01 Nov 2010
- pp 48-61
TL;DR: This paper develops a methodology to detect domain fluxing as used by Conficker botnet with minimal false positives and applies it to packet traces collected at a Tier-1 ISP.
read more
Abstract: Recent Botnets such as Conficker, Kraken and Torpig have used DNS based "domain fluxing" for command-and-control, where each Bot queries for existence of a series of domain names and the owner has to register only one such domain name. In this paper, we develop a methodology to detect such "domain fluxes" in DNS traffic by looking for patterns inherent to domain names that are generated algorithmically, in contrast to those generated by humans. In particular, we look at distribution of alphanumeric characters as well as bigrams in all domains that are mapped to the same set of IP-addresses. We present and compare the performance of several distance metrics, including KL-distance, Edit distance and Jaccard measure. We train by using a good data set of domains obtained via a crawl of domains mapped to all IPv4 address space and modeling bad data sets based on behaviors seen so far and expected. We also apply our methodology to packet traces collected at a Tier-1 ISP and show we can automatically detect domain fluxing as used by Conficker botnet with minimal false positives.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Design and Evaluation of a Real-Time URL Spam Filtering Service
Kurt Thomas,Chris Grier,Justin Ma,Vern Paxson,Dawn Song +4 more
- 22 May 2011
TL;DR: It is shown that Monarch can provide accurate, real-time protection, but that the underlying characteristics of spam do not generalize across web services, and the distinctions between email and Twitter spam are explored.
•Proceedings Article
From throw-away traffic to bots: detecting the rise of DGA-based malware
Manos Antonakakis,Roberto Perdisci,Yacin Nadji,Nikolaos Vasiloglou,Saeed Abu-Nimeh,Wenke Lee,David Dagon +6 more
- 08 Aug 2012
TL;DR: A new technique to detect randomly generated domains without reversing is presented, finding that most of the DGA-generated domains that a bot queries would result in Non-Existent Domain (NXDomain) responses, and that bots from the same bot-net (with the same DGA algorithm) would generate similar NXDomain traffic.
•Posted Content
Malicious URL Detection using Machine Learning: A Survey
TL;DR: This article presents the formal formulation of Malicious URL Detection as a machine learning task, and categorize and review the contributions of literature studies that addresses different dimensions of this problem (feature representation, algorithm design, etc.).
353
Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks
Ting-Fang Yen,Alina Oprea,Kaan Onarlioglu,Todd Leetham,William Robertson,Ari Juels,Engin Kirda +6 more
- 09 Dec 2013
TL;DR: A novel system, Beehive, that attacks the problem of automatically mining and extracting knowledge from the dirty log data produced by a wide variety of security products in a large enterprise, and is able to identify malicious events and policy violations which would otherwise go undetected.
A Visualized Botnet Detection System Based Deep Learning for the Internet of Things Networks of Smart Cities
R. Vinayakumar,Mamoun Alazab,Sriram Srinivasan,Quoc-Viet Pham,Soman Kotti Padannayil,K. Simran +5 more
TL;DR: A botnet detection system based on a two-level deep learning framework for semantically discriminating botnets and legitimate behaviors at the application layer of the domain name system (DNS) services is proposed.
303
References
•Book
Elements of information theory
Thomas M. Cover,Joy A. Thomas +1 more
- 01 Jan 1991
TL;DR: The author examines the role of entropy, inequality, and randomness in the design of codes and the construction of codes in the rapidly changing environment.
•Book
Detection, Estimation, And Modulation Theory
Harry L. Van Trees
- 01 Jan 1968
TL;DR: Detection, estimation, and modulation theory, Detection, estimation and modulation theorists, اطلاعات رسانی کشاورزی .
6.2K
•Proceedings Article
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection
Guofei Gu,Roberto Perdisci,Junjie Zhang,Wenke Lee +3 more
- 28 Jul 2008
TL;DR: This paper presents a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C &C server names/addresses).
Beyond blacklists: learning to detect malicious web sites from suspicious URLs
Justin Ma,Lawrence K. Saul,Stefan Savage,Geoffrey M. Voelker +3 more
- 28 Jun 2009
TL;DR: This paper describes an approach to this problem based on automated URL classification, using statistical methods to discover the tell-tale lexical and host-based properties of malicious Web site URLs.