Recent Botnets such as Conficker, Kraken and Torpig have used DNS based "domain fluxing" for command-and-control, where each Bot queries for existence of a
series of domain names and the owner has to register only one such domain name. In
this report, we develop a methodology to detect such "domain
fluxes" in DNS traffic
by looking for patterns inherent to domain names that are generated algorithmically,
in contrast to those generated by humans. In particular, we look at distribution
of alphanumeric characters as well as bigrams in all domains that are mapped to
the same set of IP-addresses. We present and compare the performance of several
distance metrics, including KL-distance and Edit distance. We train by using a good
data set of domains obtained via a crawl of domains mapped to all IPv4 address space
and modeling bad data sets based on behaviors seen so far and expected. We also
apply our methodology to packet traces collected at two Tier-1 ISPs and show we can
automatically detect domain
fluxing as used by Conficker botnet with minimal false
positives. We are also able to detect new botnets and other malicious networks using
our method.
Identifer | oai:union.ndltd.org:tamu.edu/oai:repository.tamu.edu:1969.1/ETD-TAMU-2010-08-8417 |
Date | 2010 August 1900 |
Creators | Ashwath Kumar Krishna Reddy |
Contributors | Narasimha Reddy, Annappa Reddy |
Source Sets | Texas A and M University |
Language | en_US |
Detected Language | English |
Type | thesis, text |
Format | application/pdf |
Page generated in 0.0018 seconds