Abstract
Botnet threats, such as server attacks or sending of spam e-mail, have been increasing. Therefore, infected hosts must be found and their malicious activities mitigated. An effective method for finding infected hosts is to use a blacklist of domain names. When a bot receives attack commands from a Command and Control (CC therefore a blacklist cannot cover all black domain names. We thus present a method for finding unknown black domain names by using DNS query data and an existing blacklist of known black domain names. To achieve this, we focus on DNS queries sent by infected hosts. One bot sends several queries on black domain names due to C&C server redundancy. We use the co-occurrence relation of two different domain names to find unknown black domain names and extend the blacklist. If a domain name frequently co-occurs with a known black name, we assume that the domain name is also black. A cross-validation evaluation of the proposed method showed that 91.2% of domain names that are on the validation list scored in the top 1%.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
