Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis
Recent Botnets such as Conficker, Kraken and Torpig have used DNS based "Domain fluxing" for command-and-control, where each Bot queries for existence of a series of domain names and the owner has to register only one such domain name. In this paper, the authors develop a methodology to detect such "Domain fluxes" in DNS traffic by looking for patterns inherent to domain names that are generated algorithmically, in contrast to those generated by humans. In particular, they look at distribution of alphanumeric characters as well as bigrams in all domains that are mapped to the same set of IP-addresses. They present and compare the performance of several distance metrics, including KL-distance, Edit distance and Jaccard measure.