Detecting Botnets by Analyzing DNS Traffic
Botnet is a new trend in Internet attacks. Because the propagation of botnets will not cause large traffic like worm, it is often difficult to detect it. Till now, the most common method to detect botnets is to use honeynets. Although previous work has described an active detection technique using DNS hijacking technique, there are little information about how to detect the domain names which botnets used. Some researchers also use DNS based method to detect botnets[2,3], but all of them use simple signature or statistical method which require much prior knowledge.
- 1.Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS ’06) (2006)Google Scholar
- 2.Kristoff, J.: Botnets. NANOG 32 (October 2004)Google Scholar
- 3.Schonewille, A., van Helmond, D.-J.: The Domain Name Service as an IDS. Master System and Network Engineering at the University of Amsterdam (2006)Google Scholar
- 4.Cohen, W.W.: Fast effiective rule induction. In: Prieditis, A., Russell, S. (eds.) Proceedings of the 12th International Conference on Machine Learning, Tahoe City, CA, pp. 115–123. Morgan Kaufmann, San Francisco (1995)Google Scholar