DNS performance and the effectiveness of caching
IEEE/ACM Transactions on Networking (TON)
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Pattern Classification (2nd Edition)
Pattern Classification (2nd Edition)
Pattern Recognition and Machine Learning (Information Science and Statistics)
Pattern Recognition and Machine Learning (Information Science and Statistics)
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Using uncleanliness to predict future botnet addresses
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Inside risks: Reflections on Conficker
Communications of the ACM - A View of Parallel Computing
Your botnet is my botnet: analysis of a botnet takeover
Proceedings of the 16th ACM conference on Computer and communications security
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
On the potential of proactive domain blacklisting
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Building a dynamic reputation system for DNS
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Monitoring the initial DNS behavior of malicious domains
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Assessing the real-world dynamics of DNS
TMA'12 Proceedings of the 4th international conference on Traffic Monitoring and Analysis
From throw-away traffic to bots: detecting the rise of DGA-based malware
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Proceedings of the 2012 ACM conference on Computer and communications security
Proactive discovery of phishing related domain names
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Efficient multidimensional aggregation for large scale monitoring
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
An empirical reexamination of global DNS behavior
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
Understanding the domain registration behavior of spammers
Proceedings of the 2013 conference on Internet measurement conference
Development the method of detection the malicious pages interconnection in the internet
Proceedings of the 6th International Conference on Security of Information and Networks
Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks
Proceedings of the 29th Annual Computer Security Applications Conference
Towards classification of DNS erroneous queries
Proceedings of the 9th Asian Internet Engineering Conference
ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
In recent years Internet miscreants have been leveraging the DNS to build malicious network infrastructures for malware command and control. In this paper we propose a novel detection system called Kopis for detecting malware-related domain names. Kopis passively monitors DNS traffic at the upper levels of the DNS hierarchy, and is able to accurately detect malware domains by analyzing global DNS query resolution patterns. Compared to previous DNS reputation systems such as Notos [3] and Exposure [4], which rely on monitoring traffic from local recursive DNS servers, Kopis offers a new vantage point and introduces new traffic features specifically chosen to leverage the global visibility obtained by monitoring network traffic at the upper DNS hierarchy. Unlike previous work Kopis enables DNS operators to independently (i.e., without the need of data from other networks) detect malware domains within their authority, so that action can be taken to stop the abuse. Moreover, unlike previous work, Kopis can detect malware domains even when no IP reputation information is available. We developed a proof-of-concept version of Kopis, and experimented with eight months of real-world data. Our experimental results show that Kopis can achieve high detection rates (e.g., 98.4%) and low false positive rates (e.g., 0.3% or 0.5%). In addition Kopis is able to detect new malware domains days or even weeks before they appear in public blacklists and security forums, and allowed us to discover the rise of a previously unknown DDoS botnet based in China.