Skip to main content

Phoenix: DGA-Based Botnet Tracking and Intelligence

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8550)

Abstract

Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Given the prevalence of this mechanism, recent work has focused on the analysis of DNS traffic to recognize botnets based on their DGAs. While previous work has concentrated on detection, we focus on supporting intelligence operations. We propose Phoenix, a mechanism that, in addition to telling DGA- and non-DGA-generated domains apart using a combination of string and IP-based features, characterizes the DGAs behind them, and, most importantly, finds groups of DGA-generated domains that are representative of the respective botnets. As a result, Phoenix can associate previously unknown DGA-generated domains to these groups, and produce novel knowledge about the evolving behavior of each tracked botnet. We evaluated Phoenix on 1,153,516 domains, including DGA-generated domains from modern, well-known botnets: without supervision, it correctly distinguished DGA- vs. non-DGA-generated domains in 94.8 percent of the cases, characterized families of domains that belonged to distinct DGAs, and helped researchers “on the field” in gathering intelligence on suspicious domains to identify the correct botnet.

Keywords

  • Bipartite Graph
  • Detection Module
  • Linguistic Feature
  • Discovery Module
  • DBSCAN Algorithm

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This research has been funded by EPSRC G.A. EP/K033344/1 and EU FP7 n.257007. The opinions expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-08509-8_11
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   44.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-08509-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   59.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for dns. In: USENIX Security (2010)

    Google Scholar 

  2. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: USENIX Security, vol. 11 (2011)

    Google Scholar 

  3. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security, USENIX Association (August 2012)

    Google Scholar 

  4. Bailey, T.M., Hahn, U.: Determinants of wordlikeness: Phonotactics or lexical neighborhoods? Journal of Memory and Language 44(4), 568–591 (2001)

    CrossRef  Google Scholar 

  5. Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In: ACSAC. ACM (2012)

    Google Scholar 

  6. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: Finding malicious domains using passive DNS analysis. In: NDSS (2011)

    Google Scholar 

  7. Han, J., Kamber, M.: Data mining: concepts and techniques. Morgan Kaufmann (2006)

    Google Scholar 

  8. Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS (2008)

    Google Scholar 

  9. Jones, E., Oliphant, T., Peterson, P.: et al.: SciPy: Open source scientific tools for Python (2001), http://www.scipy.org/ (accessed: January 28, 2013)

  10. Leder, F., Werner, T.: Know your enemy: Containing conficker. The Honeynet Project, University of Bonn, Germany, Tech. Rep. (2009)

    Google Scholar 

  11. Marinos, L., Sfakianakis, A.: ENISA Threat Landscape. Tech. rep., ENISA (2012)

    Google Scholar 

  12. Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting malware’s failover C&C strategies with Squeeze. In: ACSAC. ACM (2011)

    Google Scholar 

  13. Newman, M.: Networks: an introduction. Oxford University Press (2010)

    Google Scholar 

  14. Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: fluXOR: Detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186–206. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  15. Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS analysis. IEEE Transactions on Dependable and Secure Computing 9(5), 714–726 (2012)

    Google Scholar 

  16. Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., van Steen, M.: Prudent practices for designing malware experiments: Status quo and outlook. In: Security and Privacy (SP). IEEE (2012)

    Google Scholar 

  17. Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Tracking and Characterizing Botnets Using Automatically Generated Domains. Tech. rep. (2013), http://arxiv.org/abs/1311.5612

  18. Scholes, R.J.: Phonotactic grammaticality. No. 50, Mouton (1966)

    Google Scholar 

  19. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: CCS. ACM (2009)

    Google Scholar 

  20. Yadav, S., Reddy, A.L.N.: Winning with DNS failures: Strategies for faster botnet detection. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 446–459. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  21. Yadav, S., Reddy, A.K.K., Reddy, A., Ranjan, S.: Detecting algorithmically generated domain-flux attacks with dns traffic analysis. IEEE/ACM TON 20(5) (2012)

    Google Scholar 

  22. Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: IMC. ACM (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S. (2014). Phoenix: DGA-Based Botnet Tracking and Intelligence. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08509-8_11

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08508-1

  • Online ISBN: 978-3-319-08509-8

  • eBook Packages: Computer ScienceComputer Science (R0)