International Journal of Information Security

, Volume 16, Issue 2, pp 115–132 | Cite as

A method for identifying compromised clients based on DNS traffic analysis

  • Matija StevanovicEmail author
  • Jens Myrup Pedersen
  • Alessandro D’Alconzo
  • Stefan Ruehrup
Regular Contribution


DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.


DNS Traffic analysis Client identification Fast-flux Domain-flux Malware detection 



We would like to thank Bredbånd Nord for providing DNS traffic data sets used for the evaluation of the proposed detection method. We would also like to thank Dan Sandberg for assisting in obtaining the data sets and contributing to discussions on the use of the proposed detection method in operational networks.


  1. 1.
    Amazon Inc: Alexa—the list of the most popular domains. (2015)
  2. 2.
    Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290, (2010)Google Scholar
  3. 3.
    Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, II N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: USENIX Security Symposium, (2011)Google Scholar
  4. 4.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security Symposium, pp. 491–506, (2012)Google Scholar
  5. 5.
    Berger, A.: Pydnsmap. (2014)
  6. 6.
    Berger, A., D’Alconzo, A., Gansterer, W.N., Pescapé, A.: Mining agile DNS traffic using graph analysis for cybercrime detection. Comput. Netw. 100, 28–44 (2016)CrossRefGoogle Scholar
  7. 7.
    Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16(4), 14 (2014)CrossRefGoogle Scholar
  8. 8.
    Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)CrossRefzbMATHGoogle Scholar
  9. 9.
    Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56(1), 20–33 (2012)CrossRefGoogle Scholar
  10. 10.
    Damballa Inc: Top-10 TLDs abused by botnets for CNC. (2009)
  11. 11.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The weka data mining software: an update. SIGKDD Explor. Newsl. 11(1), 10–18 (2009)CrossRefGoogle Scholar
  12. 12.
    Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS, (2008)Google Scholar
  13. 13.
    Kay, B., Greve, P.: Mapping the Mal Web. Tech. Rep., McAfee, Inc. (2011)
  14. 14.
    Knysz, M., Hu, X., Shin, K.G.: Good guys vs. bot guise: mimicry attacks against fast-flux detection systems. In: INFOCOM, 2011 Proceedings IEEE, IEEE, pp. 1844–1852, (2011)Google Scholar
  15. 15.
    Luo, P., Torres, R., Zhang, Z.L., Saha, S., Lee, S.J., Nuccim, A., Mellia, M.: Leveraging client-side DNS failure patterns to identify malicious behaviors. In: IEEE Conference on Communications and Network Security (CNS), 2015, IEEE, pp. 406–414, (2015)Google Scholar
  16. 16.
    MaxMind Inc: Databases of AS numbers. (2015a)
  17. 17.
    MaxMind Inc: Databases of cities. Scholar
  18. 18.
    Mockapetris, P.: Domain names—implementation and specifications. RFC 1035, RFC Editor. (1987)
  19. 19.
    Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: 3rd International Conference on Malicious and Unwanted Software, 2008. MALWARE 2008, IEEE, pp. 24–31, (2008)Google Scholar
  20. 20.
    NoVirusThanks Company Srl: Ipvoid—IP address blacklist checker tool. (2014a)
  21. 21.
    NoVirusThanks Company Srl: Urlvoid—website reputation checker tool. (2014b)
  22. 22.
    Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive dns traffic analysis. IEEE Trans. Depend. Secure Comput. 9(5), 714–726 (2012)Google Scholar
  23. 23.
    Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 192–211. Springer, Switzerland (2014)Google Scholar
  24. 24.
    Sharifnya, R., Abadi, M.: DFBotkiller: domain-flux botnet detection based on the history of group activities and failures in DNS traffic. Digit. Investig. 12, 15–26 (2015)CrossRefGoogle Scholar
  25. 25.
    Stevanovic, M., Pedersen, J.M., D’Alconzo, A., Ruehrup, S., Berger, A.: On the ground truth problem of malicious DNS traffic analysis. Comput. Secur. 55, 142–158 (2015). doi: 10.1016/j.cose.2015.09.004 CrossRefGoogle Scholar
  26. 26.
    Van Leijenhorst, T., Chin, K.W., Lowe, D.: On the viability and performance of DNS tunneling. In: Proceedings of the International Conference on Information Technology and Applications, (2008)Google Scholar
  27. 27.
    Yadav, S., Reddy, A.K.K., Reddy, A., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, ACM, pp. 48–61, (2010)Google Scholar
  28. 28.
    Yan, P.: How likely is a domain to be malicious? Here’s a look at the stats and graphs that help us decide. (2013)

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Matija Stevanovic
    • 1
    Email author
  • Jens Myrup Pedersen
    • 1
  • Alessandro D’Alconzo
    • 2
  • Stefan Ruehrup
    • 3
  1. 1.Department of Electronic SystemsAalborg UniversityAalborgDenmark
  2. 2.Austrian Institute of Technology (AIT)WienAustria
  3. 3.Forschungszentrum Telekommunikation Wien (FTW)WienAustria

Personalised recommendations