By Topic

Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Ricardo Villamarin-Salomon ; Univ. of Pittsburgh, Pittsburgh ; Jose Carlos Brustoloni

Bots are compromised computers that communicate with a botnet command and control (C& C) server. Bots typically employ dynamic DNS (DDNS) to locate the respective C&C server. By injecting commands into such servers, botmasters can reuse bots for a variety of attacks. We evaluate two approaches for identifying botnet C&C servers based on anomalous DDNS traffic. The first approach consists in looking for domain names whose query rates are abnormally high or temporally concentrated. High DDNS query rates may be expected because botmasters frequently move C&C servers, and botnets with as many as 1.5 million bots have been discovered. The second approach consists in looking for abnormally recurring DDNS replies indicating that the query is for an inexistent name (NXDOMAIN). Such queries may correspond to bots trying to locate C&C servers that have been taken down. In our experiments, the second approach automatically identified several domain names that were independently reported by others as being suspicious, while the first approach was not as effective.

Published in:

2008 5th IEEE Consumer Communications and Networking Conference

Date of Conference:

10-12 Jan. 2008