Detection, Estimation, and Modulation Theory: Radar-Sonar Signal Processing and Gaussian Signals in Noise
Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing)
Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing)
Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems
ICDM '06 Proceedings of the Sixth International Conference on Data Mining
Spam Filtering Using Statistical Data Compression Models
The Journal of Machine Learning Research
Behind phishing: an examination of phisher modi operandi
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Introduction to Information Retrieval
Introduction to Information Retrieval
Spamming botnets: signatures and characteristics
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Unconstrained endpoint profiling (googling the internet)
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
FluXOR: Detecting and Monitoring Fast-Flux Service Networks
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Kwyjibo: automatic domain name generation
Software—Practice & Experience
SS'08 Proceedings of the 17th conference on Security symposium
Measurement and classification of humans and bots in internet chat
SS'08 Proceedings of the 17th conference on Security symposium
Dynamics of Online Scam Hosting Infrastructure
PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Beyond blacklists: learning to detect malicious web sites from suspicious URLs
Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining
Studying spamming botnets using Botlab
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
BotGraph: large scale spamming botnet detection
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Your botnet is my botnet: analysis of a botnet takeover
Proceedings of the 16th ACM conference on Computer and communications security
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Communications of the ACM
What's in a name. . . generator?
Journal in Computer Virology
IFIP'12 Proceedings of the 11th international IFIP TC 6 conference on Networking - Volume Part I
From throw-away traffic to bots: detecting the rise of DGA-based malware
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Manufacturing compromise: the emergence of exploit-as-a-service
Proceedings of the 2012 ACM conference on Computer and communications security
DNS to the rescue: discerning content and services in a tangled web
Proceedings of the 2012 ACM conference on Internet measurement conference
Proactive discovery of phishing related domain names
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Fluxing botnet command and control channels with URL shortening services
Computer Communications
An empirical reexamination of global DNS behavior
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
Understanding the domain registration behavior of spammers
Proceedings of the 2013 conference on Internet measurement conference
Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks
Proceedings of the 29th Annual Computer Security Applications Conference
Towards classification of DNS erroneous queries
Proceedings of the 9th Asian Internet Engineering Conference
Practical comprehensive bounds on surreptitious communication over DNS
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.02 |
Recent Botnets such as Conficker, Kraken and Torpig have used DNS based "domain fluxing" for command-and-control, where each Bot queries for existence of a series of domain names and the owner has to register only one such domain name. In this paper, we develop a methodology to detect such "domain fluxes" in DNS traffic by looking for patterns inherent to domain names that are generated algorithmically, in contrast to those generated by humans. In particular, we look at distribution of alphanumeric characters as well as bigrams in all domains that are mapped to the same set of IP-addresses. We present and compare the performance of several distance metrics, including KL-distance, Edit distance and Jaccard measure. We train by using a good data set of domains obtained via a crawl of domains mapped to all IPv4 address space and modeling bad data sets based on behaviors seen so far and expected. We also apply our methodology to packet traces collected at a Tier-1 ISP and show we can automatically detect domain fluxing as used by Conficker botnet with minimal false positives.