Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces

TitleDetecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces
Publication TypeConference Paper
Year of Publication2009
AuthorsPerdisci, R, Corona, I, Dagon, D, Lee, W
Conference NameAnnual Computer Security Applications Conference (ACSAC)
Date Published07/12/2009
Conference LocationHonolulu, Hawaii, USA
KeywordsClustering, DNS, Fast Flux Networks, ids00, spam filtering
Abstract

In this paper we propose a novel, passive approach for detecting and tracking malicious flux service networks. Our detection system is based on passive analysis of recursive DNS (RDNS) traffic traces collected from multiple large networks. Contrary to previous work, our approach is not limited to the analysis of suspicious domain names extracted from spam emails or precompiled domain blacklists. Instead, our approach is able to detect malicious flux service networks in-the-wild, i.e., as they are accessed by users who fall victims of malicious content advertised through blog spam, instant messaging spam, social website spam, etc., beside email spam. We experiment with the RDNS traffic passively collected at two large ISP networks. Overall, our sensors monitored more than 2.5 billion DNS queries per day from milions of distinct source IPs for a period of 45 days. Our experimental results show that the proposed approach is able to accurately detect malicious flux service networks. Furthermore, we show how our passive detection and tracking of malicious flux service networks may benefit spam filtering applications.
URLhttp://www.acsac.org/2009/
Citation Key 787
Download: 
AttachmentSize
Perdisci_ACSAC09.pdf206.97 KB