Detecting algorithmically generated malicious domain names
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Building a dynamic reputation system for DNS
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
Proceedings of the 20th international conference on World wide web
Detecting malware domains at the upper DNS hierarchy
SEC'11 Proceedings of the 20th USENIX conference on Security
Spam or ham?: characterizing and detecting fraudulent "not spam" reports in web mail systems
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
IFIP'12 Proceedings of the 11th international IFIP TC 6 conference on Networking - Volume Part I
AIMS'12 Proceedings of the 6th IFIP WG 6.6 international autonomous infrastructure, management, and security conference on Dependable Networks and Services
Detecting algorithmically generated domain-flux attacks with DNS traffic analysis
IEEE/ACM Transactions on Networking (TON)
Fluxing botnet command and control channels with URL shortening services
Computer Communications
Efficient multidimensional aggregation for large scale monitoring
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Computer Networks: The International Journal of Computer and Telecommunications Networking
Genetic-based real-time fast-flux service networks detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
An empirical reexamination of global DNS behavior
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks
Proceedings of the 29th Annual Computer Security Applications Conference
Hi-index | 0.00 |
In this paper we propose a novel, passive approach for detecting and tracking malicious flux service networks. Our detection system is based on passive analysis of recursive DNS (RDNS) traffic traces collected from multiple large networks. Contrary to previous work, our approach is not limited to the analysis of suspicious domain names extracted from spam emails or precompiled domain blacklists. Instead, our approach is able to detect malicious flux service networks in-the-wild, i.e., as they are accessed by users who fall victims of malicious content advertised through blog spam, instant messaging spam, social website spam, etc., beside email spam. We experiment with the RDNS traffic passively collected at two large ISP networks. Overall, our sensors monitored more than 2.5 billion DNS queries per day from millions of distinct source IPs for a period of 45 days. Our experimental results show that the proposed approach is able to accurately detect malicious flux service networks. Furthermore, we show how our passive detection and tracking of malicious flux service networks may benefit spam filtering applications.