On the ground truth problem of malicious DNS traffic analysis

“…The advantage of our collaboration with law enforcement is that we can use their manual classification of benign and malicious domains from the takedown as a trustworthy source of ground truth. Previous studies mostly rely on publicly available blacklists and whitelists as the labeled ground truth [89], but malware blacklists have been found to contain benign parked or sinkholed domains and are ineffective at fully covering domains of several malware families [54], while lists of popular domains commonly used as whitelists can easily be manipulated by malware providers [56].…”

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

“…The advantage of our collaboration with law enforcement is that we can use their manual classification of benign and malicious domains from the takedown as a trustworthy source of ground truth. Previous studies mostly rely on publicly available blacklists and whitelists as the labeled ground truth [89], but malware blacklists have been found to contain benign parked or sinkholed domains and are ineffective at fully covering domains of several malware families [54], while lists of popular domains commonly used as whitelists can easily be manipulated by malware providers [56].…”

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

“…Criminal activities involving Advanced Persistent Threats (APT), malware and botnets use DNS service to locate Command and Control (C&C) servers for file transfer and updates [16], [34]. Spammers also rely on DNS service to redirect users to scams and phishing websites [35]. Zhao et al [47] explains that these cyber-criminal activities are often successful because DNS traffic is usually unfiltered or allowed through a firewall thereby providing a stealthy and undisturbed communication channel for cyber-criminals to operate.…”

“…Zhao et al also state that, DDNS provide the capability for cyber-criminals to maintain persistent presence on a victim's machine once it has been compromised as they can easily change their IP and domain information [47]. Stevanovic et al [35] calls DDNS, "agile DNS" and argue that, this feature poses a serious challenge to internet security. Agile DNS uses dynamic hosting strategies in which domain names and IP addresses associated with a particular service change over time.…”

Detection of Algorithmically Generated Malicious Domain Using Frequency Analysis

“…Zhao et al also state that, DDNS provide the capability for cyber-criminals to maintain persistent presence on a victim's machine once it has been compromised as they can easily change their IP and domain information [47]. Stevanovic et al [35] calls DDNS, "agile DNS" and argue that, this feature poses a serious challenge to internet security. Agile DNS uses dynamic hosting strategies in which domain names and IP addresses associated with a particular service change over time.…”

“…Criminal activities involving Advanced Persistent Threats (APT), malware and botnets use DNS service to locate Command and Control (C&C) servers for file transfer and updates [16], [34]. Spammers also rely on DNS service to redirect users to scams and phishing websites [35]. Zhao et al [47] explains that these cyber-criminal activities are often successful because DNS traffic is usually unfiltered or allowed through a firewall thereby providing a stealthy and undisturbed communication channel for cyber-criminals to operate.…”

Detection of Algorithmically Generated Malicious Domain