Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Security '12 Home
  • Registration Information
  • Registration Discounts
  • Organizers
  • At a Glance
  • Calendar
  • Technical Sessions
  • Workshops
  • Hotel & Travel Information
  • Poster Session
  • Rump Session
  • Birds-of-a-Feather Sessions
  • Sponsors
  • Activities
  • Students
  • Questions?
  • For Participants
  • Help Promote
  • Call for Papers
  • Past Proceedings

sponsors

Gold Sponsor
Silver Sponsor
Silver Sponsor
Bronze Sponsor
Bronze Sponsor
Bronze Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor

twitter

Tweets by USENIXSecurity

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware
Tweet

connect with us

http://twitter.com/USENIXSecurity
https://www.facebook.com/events/309825352408177/

From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware

Authors: 

Manos Antonakakis, Damballa Inc. and Georgia Institute of Technology; Roberto Perdisci, University of Georgia and Georgia Institute of Technology; Yacin Nadji, Georgia Institute of Technology; Nikolaos Vasiloglou and Saeed Abu-Nimeh, Damballa Inc.; Wenke Lee and David Dagon, Georgia Institute of Technology

Abstract: 

Many botnet detection systems employ a blacklist of known command and control (C&C) domains to detect bots and block their traffic. Similar to signature-based virus detection, such a botnet detection approach is static because the blacklist is updated only after running an external (and often manual) process of domain discovery. As a response, botmasters have begun employing domain generation algorithms (DGAs) to dynamically produce a large number of random domain names and select a small subset for actual C&C use. That is, a C&C domain is randomly generated and used for a very short period of time, thus rendering detection approaches that rely on static domain lists ineffective. Naturally, if we know how a domain generation algorithm works, we can generate the domains ahead of time and still identify and block botnet C&C traffic. The existing solutions are largely based on reverse engineering of the bot malware executables, which is not always feasible.

In this paper we present a new technique to detect randomly generated domains without reversing. Our insight is that most of the DGA-generated (random) domains that a bot queries would result in Non-Existent Domain (NXDomain) responses, and that bots from the same botnet (with the same DGA algorithm) would generate similar NXDomain traffic. Our approach uses a combination of clustering and classification algorithms. The clustering algorithm clusters domains based on the similarity in the make-ups of domain names as well as the groups of machines that queried these domains. The classification algorithm is used to assign the generated clusters to models of known DGAs. If a cluster cannot be assigned to a known model, then a new model is produced, indicating a new DGA variant or family. We implemented a prototype system and evaluated it on real-world DNS traffic obtained from large ISPs in North America. We report the discovery of twelve DGAs. Half of them are variants of known (botnet) DGAs, and the other half are brand new DGAs that have never been reported before.

Manos Antonakakis, Damballa, Inc.

Roberto Perdisci, Georgia Institute of Technology

Yacin Nadji, Georgia Institute of Technology

Nikolaos Vasiloglou, Damballa, Inc.

Saeed Abu-Nimeh, Damballa, Inc.

Wenke Lee, Georgia Institute of Technology

David Dagon, Georgia Institute of Technology

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {180232,
author = {Manos Antonakakis and Roberto Perdisci and Yacin Nadji and Nikolaos Vasiloglou and Saeed Abu-Nimeh and Wenke Lee and David Dagon},
title = {From {Throw-Away} Traffic to Bots: Detecting the Rise of {DGA-Based} Malware},
booktitle = {21st USENIX Security Symposium (USENIX Security 12)},
year = {2012},
isbn = {978-931971-95-9},
address = {Bellevue, WA},
pages = {491--506},
url = {https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis},
publisher = {USENIX Association},
month = aug,
}
Download
Antonakakis PDF
View the slides
  • Log in or    Register to post comments

Gold Sponsors

Silver Sponsors

Bronze Sponsors

Media Sponsors & Industry Partners

© USENIX

  • Privacy Policy
  • Contact Us