Abstract
In this article, we analyze the behavioral characteristics of domain name service queries produced by programs and then design an algorithm to detect malware with expired command-and-control domains based on the key feature of domain name service traffic, that is, repeatedly querying domain with a fixed interval. In total, 3027 malware command-and-control domains in the network traffic of Shanghai Jiao Tong University, affecting 249 hosts, were successfully detected, with a high precision of 92.0%. This algorithm can find those malware with expired command-and-control domains that are usually ignored by current research and would have important value for eliminating network security risks and improving network security environment.
Highlights
Malware is a constant threat to the Internet and detecting malware is a hot research topic
The data sources used by detecting systems are generally NetFlow, Honeypot, domain name system (DNS) traffic, and address assignment information (border gateway protocol, autonomous system, dynamic host configuration protocol (DHCP), etc.), and some detecting systems need deep packet inspection to identify the characteristics of application layer
Since there is no way to accurately identify all of the BitTorrent tracker domain names from DNS traffic, our study focuses on repeated attempts from a single client and domain names with large number of requesting clients
Summary
Malware is a constant threat to the Internet and detecting malware is a hot research topic. The contribution of this article is as follows: (1) we analyze malware C&C failure problem and find it arising repeated and periodic request behavior in DNS traffic. We verify it with convincing real world dataset. We identified 333 expired domain names of common software with total request of 10,706,250 times, accounting for 3.05% of total DNS failure. The variation coefficient is able to describe the periodic characteristic of a query sequence, and the repetitive requesting nature of the program domain can be reflected by the number of retries for the same failed domain. Considering that it is very rare that a malware has such a short request interval, we ignore those sequences whose average interval is shorter than 30 s to avoid misjudgment
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
