DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic

Each botnet needs an addressing mechanism to locate its command and control (C&C) server(s). This mechanism allows a botmaster to send commands to and receive stolen data from compromised hosts. To maximize the availability of the C&C server(s), botmasters have recently started to use domain-flux techniques. However, domain-flux botnets have some important characteristics that we can use to detect them. They usually generate a large number of DNS queries resolved to the same IP address and they often generate many failures in DNS traffic. The domain names in the DNS queries are randomly or algorithmically generated and their alphanumeric distribution is significantly different from legitimate ones. In this paper, we present DFBotKiller, a negative reputation system that considers the history of both suspicious group activities and suspicious failures in DNS traffic to detect domain-flux botnets. Our main goal is to automatically assign a high negative reputation score to each host that is involved in these suspicious domain activities. To identify randomly or algorithmically generated domain names, we use three measures, namely the Jensen-Shannon divergence, Spearman's rank correlation coefficient, and Levenshtein distance. We demonstrate the effectiveness of DFBotKiller to detect hosts infected by domain-flux botnets using multiple DNS queries collected from our campus network and a testbed network consisting of some bot-infected hosts. The experimental results show that DFBotKiller can make a good trade-off between the detection and false alarm rates.