Return to search

Detecting Networks Employing Algorithmically Generated Domain Names

Recent Botnets such as Conficker, Kraken and Torpig have used DNS based "domain fluxing" for command-and-control, where each Bot queries for existence of a
series of domain names and the owner has to register only one such domain name. In
this report, we develop a methodology to detect such "domain
fluxes" in DNS traffic
by looking for patterns inherent to domain names that are generated algorithmically,
in contrast to those generated by humans. In particular, we look at distribution
of alphanumeric characters as well as bigrams in all domains that are mapped to
the same set of IP-addresses. We present and compare the performance of several
distance metrics, including KL-distance and Edit distance. We train by using a good
data set of domains obtained via a crawl of domains mapped to all IPv4 address space
and modeling bad data sets based on behaviors seen so far and expected. We also
apply our methodology to packet traces collected at two Tier-1 ISPs and show we can
automatically detect domain
fluxing as used by Conficker botnet with minimal false
positives. We are also able to detect new botnets and other malicious networks using
our method.

Identiferoai:union.ndltd.org:tamu.edu/oai:repository.tamu.edu:1969.1/ETD-TAMU-2010-08-8417
Date2010 August 1900
CreatorsAshwath Kumar Krishna Reddy
ContributorsNarasimha Reddy, Annappa Reddy
Source SetsTexas A and M University
Languageen_US
Detected LanguageEnglish
Typethesis, text
Formatapplication/pdf

Page generated in 0.0022 seconds