Today, botnets are known as one of the most important threats against Internet infrastructure. A botnet is a network of compromised hosts (bots) remotely controlled by a so-called botmaster through one or more command and control (C&C) servers. Since DNS is one of the m More
Today, botnets are known as one of the most important threats against Internet infrastructure. A botnet is a network of compromised hosts (bots) remotely controlled by a so-called botmaster through one or more command and control (C&C) servers. Since DNS is one of the most important services on Internet, botmasters use it to resistance their botnet. By use of DNS service, botmasters implement two techniques: IP-flux and domain-flux. These techniques help an attacker to dynamically change C&C server addresses and prevent it from becoming blacklisted. In this paper, we propose a reputation system used a clustering method and DNS traffic for online fluxing botnets detection .we first cluster DNS queries with similar characteristics at the end of each time period. We then identify hosts that generate suspicious domain names and add them to a so-called suspicious group activity matrix. We finally calculate the negative reputation score of each host in the matrix and detect hosts with high negative reputation scores as bot-infected. The experimental results show that it can successfully detect fluxing botnets with a high detection rate and a low false alarm rate.
Manuscript profile