- Yong-lin Zhou
- Qing-shan Li
- Qidi Miao
- Kangbin Yim
DGA-Based Botnet Detection Using DNS Traffic
n recent years, an increasing number of botnets use Domain Generation Algorithms (DGAs) to by-
pass botnet detection systems. DGAs, also referred as “domain fluxing”, has been used since 2004
for botnet controllers, and now become an emerging trend for malware. It can dynamically and fre-
quently generate a large number of random domain names which are used to prevent security systems
from detecting and blocking. In this paper, we present a new technique to detect DGAs using DNS
NXDomain traffic. Our insight is that every domain name in the domain group generated by one
botnet using DGAs is often used for a short period of time, and has similar live time and query style.
We look for this pattern in DNS NXDomain traffic to filter out algorithmically generated domains
that DGA-based botnets generate. We implemented our protosystem and carry outexperiment at a
pilot RDNS of an Internet operator. The results show that our method is of good effectiveness on
detecting algorithmically generated domains used by botnet.