| dc.contributor.author | Yadav, Sandeep | |
| dc.contributor.author | Kumar Reddy, Ashwath | |
| dc.contributor.author | Narasimha Reddy, A.L. | |
| dc.contributor.author | Ranjan, Supranamaya | |
| dc.date.accessioned | 2021-07-13T10:07:19Z | |
| dc.date.available | 2021-07-13T10:07:19Z | |
| dc.date.issued | 2010-11-01 | |
| dc.identifier.uri | http://hdl.handle.net/20.500.12761/1263 | |
| dc.description.abstract | Recent Botnets such as Conficker, Kraken and Torpig have
used DNS based “domain fluxing” for command-and-control,
where each Bot queries for existence of a series of domain
names and the owner has to register only one such domain
name. In this paper, we develop a methodology to detect
such “domain fluxes” in DNS traffic by looking for patterns
inherent to domain names that are generated algorithmically, in contrast to those generated by humans. In particular, we look at distribution of alphanumeric characters as
well as bigrams in all domains that are mapped to the same
set of IP-addresses. We present and compare the performance of several distance metrics, including KL-distance,
Edit distance and Jaccard measure. We train by using a
good data set of domains obtained via a crawl of domains
mapped to all IPv4 address space and modeling bad data
sets based on behaviors seen so far and expected. We also
apply our methodology to packet traces collected at a Tier-1
ISP and show we can automatically detect domain fluxing
as used by Conficker botnet with minimal false positives | |
| dc.language.iso | eng | |
| dc.subject.lcc | Q Science::Q Science (General) | |
| dc.subject.lcc | Q Science::QA Mathematics::QA75 Electronic computers. Computer science | |
| dc.subject.lcc | T Technology::T Technology (General) | |
| dc.subject.lcc | T Technology::TA Engineering (General). Civil engineering (General) | |
| dc.subject.lcc | T Technology::TK Electrical engineering. Electronics Nuclear engineering | |
| dc.title | Detecting algorithmically generated malicious domain names | en |
| dc.type | conference object | |
| dc.conference.date | 1-3 November 2010 | |
| dc.conference.place | Melbourne, Australia | |
| dc.conference.title | Internet Measurement Conference 2010 | * |
| dc.event.type | conference | |
| dc.pres.type | paper | |
| dc.type.hasVersion | VoR | |
| dc.rights.accessRights | open access | |
| dc.description.refereed | TRUE | |
| dc.description.status | pub | |
| dc.eprint.id | http://eprints.networks.imdea.org/id/eprint/67 | |
