DNS Query Failure and Algorithmically Generated Domain-Flux Detection

Warning

This publication doesn't include Institute of Computer Science. It includes Faculty of Informatics. Official publication website can be found on muni.cz.

Authors

GHAFIR Ibrahim PŘENOSIL Václav

Year of publication 2014
Type Article in Proceedings
Conference Proceedings of International Conference on Frontiers of Communications, Networks and Applications
MU Faculty or unit

Faculty of Informatics

Citation
Web http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7141236&newsearch=true&searchWithin=%22First%20Name%22:Ibrahim&searchWithin=%22Last%20Name%22:Ghafir
Doi http://dx.doi.org/10.1049/cp.2014.1410
Field Informatics
Keywords Cyber attacks; botnet; domain flux; malware; intrusion detection system
Attached files
Description Botnets are now recognized as one of the most serious security threats. Recent botnets such as Conficker, Murofet and BankPatch have used domain flux technique to connect to their command and control (CaC) servers, where each Bot queries for existence of a series of domain names used as rendezvous points with their controllers while the owner has to register only one such domain name. The large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down botnets. In this paper we present our methodology for detecting algorithmically generated domain flux. Our detection method is based on DNS query failures resulting from domain flux technique. We process the network traffic, particularly DNS traffic. We analyze all DNS query failures and propose a threshold for DNS query failures from the same IP address. We applied our methodology on packet capture (pcap) file which contains real and long-lived malware traffic and we proved that our methodology can successfully detect domain flux technique and identify the infected host. We also applied our methodology on campus live traffic and showed that it can automatically detect domain flux technique and identify the infected host in the real time.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.

More info