Detection of fast - ux botnets through DNS tra c analysis

Botnets are networks built up of a large number of bot computers, which provide the attacker with massive resources, such as bandwidth, storage, and processing power, in turn, allowing the attacker to launch massive attacks, such as Distributed Denial of Service (DDoS) attacks, or undertake spamming or phishing campaigns. One of the main approaches for botnet detection is based on monitoring and analyzing DNS query/responses in the network, where botnets make their detection more diicult by using techniques such as fast-uxing. Moreover, the main challenge in detecting fast-ux botnets arises from their similar behavior with that of legitimate networks, such as CDNs, which employ a round-robin DNS technique. In this paper, we propose a new system to detect fast-ux botnets by passive DNS monitoring. The proposed system rst lters out domains seen in historical DNS traces assuming that they are benign. We believe this assumption to be valid as benign domains usually have long lifetime as compared to botnet domains, which are usually short-lived. Hence, CDN domains, which are the main cause of misclassiication when looking for malicious fast-ux domains, are removed. Afterwards, a few simple features are calculated to help in properly categorizing the domains in question as either benign or botnet related. The proposed system is evaluated by employing DNS traces from our campus network and encouraging evaluation results are obtained.