Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis

Yadav, Sandeep; Reddy, Ashwath Kumar Krishna; Reddy, A. L. Narasimha; Ranjan, Supranamaya

doi:10.1109/tnet.2012.2184552

Cited by 203 publications

(142 citation statements)

References 8 publications

Supporting

Mentioning

142

Contrasting

Order By: Relevance

“…While botnets with a fully P2P topology are on the rise, DNS is still abused by cybercriminals to build centralized, yet reliable botnet infrastructures [2,3,8,14,15,21]. An effective technique used to improve resiliency to take downs and tracking is domain flux.…”

Section: Background and Research Gapsmentioning

confidence: 99%

“…Antonakakis et al [3], Yadav et al [21,22], instead, relied on features extracted from groups of domains, which creates the additional problem of how to create such groups. The authors circumvented this problem by choosing random groups of domains.…”

Section: Discovery Modulementioning

confidence: 99%

“…However, existing approaches are based on supervised learning and make assumptions on how domains should be grouped before processing. Yadav et al [21,22] leverage the randomization of DGA-generated names to distinguish them from non-DGA ones by means of linguistic features bi-grams computed over domain sets, which are then classified as sets of DGA-or non-DGA-related. The work explores different strategies to group domain in sets before feeding them to the classifier.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Phoenix: DGA-Based Botnet Tracking and Intelligence

Schiavoni

Maggi

Cavallaro

et al. 2014

Lecture Notes in Computer Science

152

125

View full text Add to dashboard Cite

Abstract. Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Given the prevalence of this mechanism, recent work has focused on the analysis of DNS traffic to recognize botnets based on their DGAs. While previous work has concentrated on detection, we focus on supporting intelligence operations. We propose Phoenix, a mechanism that, in addition to telling DGA-and non-DGA-generated domains apart using a combination of string and IP-based features, characterizes the DGAs behind them, and, most importantly, finds groups of DGA-generated domains that are representative of the respective botnets. As a result, Phoenix can associate previously unknown DGA-generated domains to these groups, and produce novel knowledge about the evolving behavior of each tracked botnet. We evaluated Phoenix on 1,153,516 domains, including DGA-generated domains from modern, well-known botnets: without supervision, it correctly distinguished DGA-vs. non-DGA-generated domains in 94.8 percent of the cases, characterized families of domains that belonged to distinct DGAs, and helped researchers "on the field" in gathering intelligence on suspicious domains to identify the correct botnet.

show abstract

Section: Background and Research Gapsmentioning

confidence: 99%

Section: Discovery Modulementioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Phoenix: DGA-Based Botnet Tracking and Intelligence

Schiavoni

Maggi

Cavallaro

et al. 2014

Lecture Notes in Computer Science

152

125

View full text Add to dashboard Cite

show abstract

“…Method 6, we have a blacklist of C&C servers [8], [5], [11], [3], any connection to one of those servers is an attack. Another technique can be used in this step is domain flux technique [28]; an exploited host may try to connect to a large number of domain names which are expected to be C&C servers. The goal of this technique is to make it difficult or even impossible to shut down all of these domain names.…”

Section: Proposed Approachmentioning

confidence: 99%

Proposed Approach for Targeted Attacks Detection

Ghafir

Přenosil

2015

Lecture Notes in Electrical Engineering

View full text Add to dashboard Cite

Abstract. For years governments, organizations and companies have made great efforts to keep hackers, malware, cyber attacks at bay with different degrees of success. On the other hand, cyber criminals and miscreants produced more advanced techniques to compromise Internet infrastructure. Targeted attack or advanced persistent threat (APT) attack is a new challenge and aims to accomplish a specific goal, most often espionage. APTs are presently the biggest threat to governments and organizations. This paper states research questions and propose a novel approach to intrusion detection system processes network traffic and able to detect potential APT attack. This detection of APT attack is based on the correlation between the events which we get as outputs of our detection methods. Each detection method aims to detect one technique used in one of APT attack steps.

show abstract

“…[2]. Sandeep Yadav (2012) detects the automatically generated domain names by looking at distribution of alphanumeric characters as well as bigrams in all domain names that are mapped to the same set of IP-addresses [7]; Fariba Haddadi(2013), with the improved SBB neural network algorithm, alleviates the previous dependence of machine learning on prior knowledge [8]. Moreover, since 2009, Sanjeet, Pawan and Samuel have introduced the word segment techniques in the field of natural language to extract and restructure keywords from domain names for DNS probing and proactive forecast of blacklist [4][5][6].…”

Section: Introductionmentioning

confidence: 99%

Detecting Machine Generated Domain Names Based on Morpheme Features

Zhang¹,

Gong²,

Liu³

2013

Advances in Intelligent Systems Research

View full text Add to dashboard Cite

Abstract-To detect machine generated domain names, we proposed a method to exclude human generated domain names by analyzing the basic morphemes in the character strings of domain names (The basic morphemes in English are word roots and affixes while in Chinese are initials and finals). Experimental results show that the analysis of the morphemes can make a great progress in the efficiency and accuracy of detection.

show abstract

Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis

Cited by 203 publications

References 8 publications

Phoenix: DGA-Based Botnet Tracking and Intelligence

Phoenix: DGA-Based Botnet Tracking and Intelligence

Proposed Approach for Targeted Attacks Detection

Detecting Machine Generated Domain Names Based on Morpheme Features

Contact Info

Product

Resources

About