Abstract
Modern botnets such as Zeus and Conficker com-monly utilize a technique called domain fluxing or a Domain Generation Algorithm (DGA) to generate a large number of pseudo-random domain names dynamically for botnet operators to control their bots. These botnets are becoming one of the most serious threats to the Internet security on a global scale. In this paper, we present a method based on analyzing the similar peri-odic time intervals series of DNS queries to identify DGA-bot infected machines. This method passively captures all DNS traffic from the gateway of monitor network. Firstly, we group queries of the same domain name that is requested by hosts, and then extracts time interval series between adjacent queries. Secondly, we measure the similar periodicity of DNS queries by calculating the squared Euclidean distance between each pair of their time interval series. Finally, we apply a hierarchical clustering algo-rithm to cluster high similar domain names. The experiment re-sults show that the domain names are generated by the same botnet or DGA would be grouped into the same cluster, thus all of the hosts that query to these clusters are marked as compro-mised hosts running a domain-flux botnet within monitor net-work.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
