DGA-Based Botnet Detection Using DNS Traffic

Yong-lin Zhou¹, Qing-shan Li², Qidi Miao^3*, and Kangbin Yim<sup>4

1</sup>Computer Emergency Response Team, Beijing 100029, China
zyl@cert.org.cn

²MoE Key Lab. of Network and Software Security Assurance of Peking University
Beijing 100871, China
liqs@infosec.pku.edu.cn
 

³Software college, Northeastern University, Shenyang 110819, China
Beijing 100871, China
qidi_miao@126.com

⁴Soonchunhyang University, Asan 336745, Republic of Korea
yim@sch.ac.kr

Abstract
In recent years, an increasing number of botnets use Domain Generation Algorithms (DGAs) to bypass botnet detection systems. DGAs, also referred as "domain fluxing"', has been used since 2004 for botnet controllers, and now become an emerging trend for malware. It can dynamically and frequently generate a large number of random domain names which are used to prevent security systems from detecting and blocking. In this paper, we present a new technique to detect DGAs using DNS NXDomain traffic. Our insight is that every domain name in the domain group generated by one botnet using DGAs is often used for a short period of time, and has similar live time and query style. We look for this pattern in DNS NXDomain traffic to filter out algorithmically generated domains that DGA-based botnets generate. We implemented our protosystem and carry outexperiment at a pilot RDNS of an Internet operator. The results show that our method is of good effectiveness on detecting algorithmically generated domains used by botnet.
 

Keywords: Domain Generation Algorithms, Domain fluxing, Domain names, NXDOMAIN

*: Corresponding author: Qidi Miao
No.11 Wenhualu Heping district, Shenyang, Liaoning Province, China, 110819, Tel: +86-15504022631

Journal of Internet Services and Information Security (JISIS), 3(3/4): 116-123, November  2013 [pdf]