Phoenix: DGA-Based Botnet Tracking and Intelligence

Schiavoni, Stefano; Maggi, Federico; Cavallaro, Lorenzo; Zanero, Stefano

doi:10.1007/978-3-319-08509-8_11

Cited by 152 publications

(133 citation statements)

References 12 publications

Supporting

Mentioning

125

Contrasting

Unclassified

Order By: Relevance

“…Massive botnets use DGAs to build complicated C and C infrastructures for DDoS attacks. Schiavoni et al established an approach named Phoenix to identify the botnets relying on DGA utilizing IP-based traits [40], with the exception of distinguishing DGA-and non-DGA-generated domains utilizing a different combination of string and IP-based characteristics, and discovering representations of botnets from the clusters of DGA-generated domains. The Phoenix approach consisted of three modules: a detection module, a discovery module, and an intelligence and observation module.…”

Section: Dga-based Botnet Detectionmentioning

confidence: 99%

Botnet Detection Technology Based on DNS

Wang

Zhang

2017

Future Internet

View full text Add to dashboard Cite

With the help of botnets, intruders can implement a remote control on infected machines and perform various malicious actions. Domain Name System (DNS) is very famous for botnets to locate command and control (C and C) servers, which enormously strengthens a botnet's survivability to evade detection. This paper focuses on evasion and detection techniques of DNS-based botnets and gives a review of this field for a general summary of all these contributions. Some important topics, including technological background, evasion and detection, and alleviation of botnets, are discussed. We also point out the future research direction of detecting and mitigating DNS-based botnets. To the best of our knowledge, this topic gives a specialized and systematic study of the DNS-based botnet evading and detecting techniques in a new era and is useful for researchers in related fields.

show abstract

Section: Dga-based Botnet Detectionmentioning

confidence: 99%

Botnet Detection Technology Based on DNS

Wang

Zhang

2017

Future Internet

View full text Add to dashboard Cite

show abstract

“…Schiavoni et al [47] presented a mechanism called Phoenix based on the DBSCAN clustering algorithm, which could not only tell DGA-and non-DGA-generated domains apart using a combination of string and IPbased features, characterize the DGAs behind them, but also find group of DGA-generated domains that are representatives of the respective botnets.…”

Section: Dbscanmentioning

confidence: 99%

Machine Learning for Analyzing Malware

Liu

Zeng

Yan

et al. 2017

JCSM

View full text Add to dashboard Cite

The Internet has become an indispensable part of people's work and life, but it also provides favorable communication conditions for malwares. Therefore, malwares are endless and spread faster and become one of the main threats of current network security. Based on the malware analysis process, from the original feature extraction and feature selection to malware analysis, this paper introduces the machine learning algorithms such as classification, clustering and association analysis, and how to use these machine learning algorithms to effectively analyze the malware and its variants.

show abstract

“…Yadav et al proposed a detection method for these domains that combined multiple metrics related to distributions of alphanumeric characters [11]. Schiavoni et al's method [12] for detecting DGA-based domain names utilizes a combination of dictionary-and n-gram-based approaches.…”

Section: Detection Of Automatically Generated Wordsmentioning

confidence: 99%

Detection and Filtering System for DNS Water Torture Attacks Relying Only on Domain Name Information

Yoshida¹,

Kawakami²,

Kobayashi³

et al. 2017

Journal of Information Processing

View full text Add to dashboard Cite

Abstract:Water torture attacks are a recently emerging type of Distributed Denial-of-Service (DDoS) attack on Domain Name System (DNS) servers. They generate a multitude of malicious queries with randomized, unique subdomains. This paper proposes a detection method and a filtering system for water torture attacks. The former is an enhancement of our previous effort so as to achieve packet-by-packet, on-the-fly processing, and the latter is an application of our current method mainly for defending recursive servers. Our proposed method detects malicious queries by analyzing their subdomains with a naïve Bayes classifier. Considering large-scale applications, we focus on achieving high throughput as well as high accuracy. Experimental results indicate that our method can detect attacks with 98.16% accuracy and only a 1.55% false positive rate, and that our system can process up to 7.44 Mpps of traffic.

show abstract

Phoenix: DGA-Based Botnet Tracking and Intelligence

Cited by 152 publications

References 12 publications

Botnet Detection Technology Based on DNS

Botnet Detection Technology Based on DNS

Machine Learning for Analyzing Malware

Detection and Filtering System for DNS Water Torture Attacks Relying Only on Domain Name Information

Contact Info

Product

Resources

About