Advertisement

Detecting Botnets by Analyzing DNS Traffic

  • Hao Tu
  • Zhi-tang Li
  • Bin Liu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4430)

Abstract

Botnet is a new trend in Internet attacks. Because the propagation of botnets will not cause large traffic like worm, it is often difficult to detect it. Till now, the most common method to detect botnets is to use honeynets. Although previous work has described an active detection technique using DNS hijacking technique[1], there are little information about how to detect the domain names which botnets used. Some researchers also use DNS based method to detect botnets[2,3], but all of them use simple signature or statistical method which require much prior knowledge.

References

  1. 1.
    Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS ’06) (2006)Google Scholar
  2. 2.
    Kristoff, J.: Botnets. NANOG 32 (October 2004)Google Scholar
  3. 3.
    Schonewille, A., van Helmond, D.-J.: The Domain Name Service as an IDS. Master System and Network Engineering at the University of Amsterdam (2006)Google Scholar
  4. 4.
    Cohen, W.W.: Fast effiective rule induction. In: Prieditis, A., Russell, S. (eds.) Proceedings of the 12th International Conference on Machine Learning, Tahoe City, CA, pp. 115–123. Morgan Kaufmann, San Francisco (1995)Google Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Hao Tu
    • 1
  • Zhi-tang Li
    • 1
  • Bin Liu
    • 1
  1. 1.Network and Computing Centre, HuaZhong University of Science & Technology, 1037 Luoyu Road, 430074 WuHanP.R. China

Personalised recommendations