Detecting algorithmically generated domain-flux attacks with DNS traffic analysis

IEEE/ACM Transactions on Networking

Volumn 20, Issue 5, 2012, Pages 1663-1677

  Yadav, Sandeep ^a   Reddy, Ashwath Kumar Krishna ^b   Narasimha Reddy, A L ^a   Ranjan, Supranamaya ^c  

^a Department of Electrical and Computer Engineering   (United States)

^b MICROSOFT   (United States)

^c MyLikes Corporation   (United States)

Author keywords

Components; domain flux; domain names; Edit distance; entropy; IP fast flux; Jaccard index; malicious

Indexed keywords

COMPONENTS; DOMAIN NAMES; EDIT DISTANCE; FAST FLUX; JACCARD INDEX; MALICIOUS;

ENTROPY; TRACE ANALYSIS;

INTERNET PROTOCOLS;

EID: 84867774439     PISSN: 10636692     EISSN: None     Source Type: Journal    
DOI: 10.1109/TNET.2012.2184552     Document Type: Article

References (35)

1. BotLab, "BotLab: A study in spam," 2011 [Online]. Available: http://botlab.org
2. McAfee, "McAfee Site Advisor," 2011 [Online]. Available: http://www.siteadvisor.com
3. P. Royal, "On Kraken and Bobax botnets," Damballa, Inc., Atlanta, GA, 2008 [Online]. Available: http://www.damballa.com/downloads/r-pubs/ Kraken-Response.pdf
4. P. Royal, "On Kraken and Bobax botnets," Damballa, Inc., Atlanta, GA, 2008 [Online]. Available: http://www.damballa.com/downloads/r-pubs/ Kraken-Response.pdf
5. PC Tools, "PC Tools experts crack new Kraken," 2008 [Online]. Available: http://www.pctools.com/news/view/id/202/
6. "Twitter API still attracts hackers," Unmask Parasites blog, 2009 [Online]. Available: http://blog.unmaskparasites.com/2009/12/09/twitterapi- still-attracts-hackers/
7. WOT, "Web of Trust," 2011 [Online]. Available: http://mywot.com
8. Microsoft, "Win32/Hamewq," 2009 [Online]. Available: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry. aspx?Name=Win32/Hamweq
9. Yahoo! Research, "Yahoo! Webspam database," [Online]. Available: http://barcelona.research.yahoo.net/webspam/datasets/uk2007/
10. M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster, "Building a dynamic reputation system for DNS," in Proc. USENIX Security Symp., 2010, p. 18.
11. A. Bratko, G. V. Cormack, B. Filipic, T. R. Lynam, and B. Zupan, "Spam filtering using statistical data compression models," J. Mach. Learning Res., vol. 7, pp. 2673-2698, 2006. (Pubitemid 46011492)
12. T. Cover and J. Thomas, Elements of Information Theory. Hoboken, NJ: Wiley, 2006.
13. H. Crawford and J. Aycock, "Kwyjibo: Automatic domain name generation," in Software Practice and Experience. Hoboken, NJ: Wiley, 2008.
14. S. Gianvecchio,M. Xie, Z.Wu, and H.Wang, "Measurement and classification of humans and bots in internet chat," in Proc. 17th USENIX Security, 2008, pp. 155-169.
15. G. Gu, R. Perdisci, J. Zhang, and W. Lee, "BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection," in Proc. 17th USENIX Security, 2008, pp. 139-154.
16. G. Gu, J. Zhang, and W. Lee, "BotSniffer: Detecting botnet command and control channels in network traffic," presented at the 15th Annu. NDSS, Feb. 2008.
17. T. Holz, M. Steiner, F. Dahl, E. W. Biersack, and F. Freiling, "Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm," in Proc. 1st USENIX LEET, Apr. 2008, Article no. 9.
18. S. Savage, J. Ma, L. K. Saul, and G. Voelker, "Beyond blacklists: Learning to detect malicious Web sites from suspicious URLs," in Proc. ACM KDD, Jul. 2009, pp. 1245-1254.
19. R. Tibshirani, J. Friedman, and T. Hastie, "glmnet: Lasso and elastic-net regularized generalized linear models," Tech. rep., 2009.
20. J. P. John, A. MoshChuck, S. D. Gribble, and A. Krishnamurthy, "Studying spamming botnets using botlab," in Proc. NSDI, 2009, pp. 291-306.
21. M. Konte, N. Feamster, and J. Jung, "Dynamics of online scam hosting infrastructure," in Proc. Passive Active Meas. Conf., 2009, pp. 219-228.
22. C. D. Manning, P. Raghavan, and H. Schutze, An Information to Information Retrieval. Cambridge, U.K.: Cambridge Univ. Press, 2009.
23. D. K. McGrath and M. Gupta, "Behind phishing: An examination of phisher modi operandi," in Proc. USENIX LEET, Apr. 2008, Article no. 4.
24. E. Passerini, R. Paleari, L. Martignoni, and D. Bruschi, "Fluxor: Detecting and monitoring fast-flux service networks," in Proc. Detection Intrusions Malware, Vulnerability Assess., 2008, pp. 186-206.
25. R. Perdisci, I. Corona, D. Dagon, and W. Lee, "Detecting malicious flux service networks through passive analysis of recursive DNS traces," in Proc. ACSAC, Dec. 2009, pp. 311-320.
26. R. Perdisci, G. Gu, and W. Lee, "Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems," in Proc. IEEE ICDM, 2006, pp. 488-498. (Pubitemid 47485828)
27. P. Porras, H. Saidi, and V. Yegneswaran, "Conficker C P2P protocol and implementation," SRI International, Menlo Park, CA, Tech. Rep., Sep. 2009.
28. P. Porras, H. Saidi, and V. Yegneswaran, "Conficker C analysis," Tech. rep., Apr. 2009 [Online]. Available: http://mtc.sri.com/ Conficker/addendumC
29. P. Porras, H. Saidi, and V. Yegneswaran, "An analysis of Conficker's logic and rendezvous points," Tech. rep., Mar. 2009.
30. J. Stewart, "Inside the storm: Protocols and encryption of the storm botnet," presented at the Black Hat Tech. Security Conf., 2008.
31. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna, "Your botnet is my botnet: Analysis of a botnet takeover," in Proc. ACM CCS, Nov. 2009, pp. 635-647.
32. H. L. V. Trees, Detection, Estimation and Modulation Theory. New York: Wiley, 2001.
33. I. Trestian, S. Ranjan, A. Kuzmanovic, and A. Nucci, "Unconstrained endpoint profiling: Googling the internet," in Proc. ACM SIGCOMM, Aug. 2008, pp. 279-290.
34. Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov, "Spamming botnets: Signatures and characteristics," Comput. Commun. Rev., vol. 38, no. 4, pp. 171-182, 2008.
35. Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E. Gillum, "Botgraph: Large scale spamming botnet detection," in Proc. USENIX NSDI, 2009, pp. 321-334.