Malware Domains Detection by Monitoring Group Activities

Yanning Zhang
2013-01-01
Computer Science
Abstract:At present,many botnets adopt Domain Flux techniques to avoid the block of domain blacklists.A new technique was proposed to detect malicious domain by analyzing group-behavior of compromised hosts on DNS queries.The method clusters new domains and Non-Existent domains queried by hosts in each epoch,groups these hosts by new domain names,and identifies that if the hosts within the same set have group activities when querying Non-Existent domains,to detect compromised hosts and IP addresses of CC servers.The monitoring results for an ISP DNS show that compromised hosts and IP addresses of CC servers are detected accurately.
What problem does this paper attempt to address?