Botnet threats, such as server attacks or sending of spam e-mail, have been increasing. Therefore, infected hosts must be found and their malicious activities mitigated. An effective method for finding infected hosts is to use a blacklist of domain names. When a bot receives attack commands from a Command and Control (C&C) server, it attempts to resolve domain names of C&C servers. We can thus detect infected hosts by finding these that send queries on black domain names. However, we cannot find all infected hosts because of the inaccuracy of blacklists. There are many black domain names, and the lifetimes of these domain names are short; therefore a blacklist cannot cover all black domain names. We thus present a method for finding unknown black domain names by using DNS query data and an existing blacklist of known black domain names. To achieve this, we focus on DNS queries sent by infected hosts. One bot sends several queries on black domain names due to C&C server redundancy. We use the co-occurrence relation of two different domain names to find unknown black domain names and extend the blacklist. If a domain name frequently co-occurs with a known black name, we assume that the domain name is also black. A cross-validation evaluation of the proposed method showed that 91.2% of domain names that are on the validation list scored in the top 1%.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Kazumichi SATO, Keisuke ISHIBASHI, Tsuyoshi TOYONO, Haruhisa HASEGAWA, Hideaki YOSHINO, "Extending Black Domain Name List by Using Co-occurrence Relation between DNS Queries" in IEICE TRANSACTIONS on Communications,
vol. E95-B, no. 3, pp. 794-802, March 2012, doi: 10.1587/transcom.E95.B.794.
Abstract: Botnet threats, such as server attacks or sending of spam e-mail, have been increasing. Therefore, infected hosts must be found and their malicious activities mitigated. An effective method for finding infected hosts is to use a blacklist of domain names. When a bot receives attack commands from a Command and Control (C&C) server, it attempts to resolve domain names of C&C servers. We can thus detect infected hosts by finding these that send queries on black domain names. However, we cannot find all infected hosts because of the inaccuracy of blacklists. There are many black domain names, and the lifetimes of these domain names are short; therefore a blacklist cannot cover all black domain names. We thus present a method for finding unknown black domain names by using DNS query data and an existing blacklist of known black domain names. To achieve this, we focus on DNS queries sent by infected hosts. One bot sends several queries on black domain names due to C&C server redundancy. We use the co-occurrence relation of two different domain names to find unknown black domain names and extend the blacklist. If a domain name frequently co-occurs with a known black name, we assume that the domain name is also black. A cross-validation evaluation of the proposed method showed that 91.2% of domain names that are on the validation list scored in the top 1%.
URL: https://global.ieice.org/en_transactions/communications/10.1587/transcom.E95.B.794/_p
Copy
@ARTICLE{e95-b_3_794,
author={Kazumichi SATO, Keisuke ISHIBASHI, Tsuyoshi TOYONO, Haruhisa HASEGAWA, Hideaki YOSHINO, },
journal={IEICE TRANSACTIONS on Communications},
title={Extending Black Domain Name List by Using Co-occurrence Relation between DNS Queries},
year={2012},
volume={E95-B},
number={3},
pages={794-802},
abstract={Botnet threats, such as server attacks or sending of spam e-mail, have been increasing. Therefore, infected hosts must be found and their malicious activities mitigated. An effective method for finding infected hosts is to use a blacklist of domain names. When a bot receives attack commands from a Command and Control (C&C) server, it attempts to resolve domain names of C&C servers. We can thus detect infected hosts by finding these that send queries on black domain names. However, we cannot find all infected hosts because of the inaccuracy of blacklists. There are many black domain names, and the lifetimes of these domain names are short; therefore a blacklist cannot cover all black domain names. We thus present a method for finding unknown black domain names by using DNS query data and an existing blacklist of known black domain names. To achieve this, we focus on DNS queries sent by infected hosts. One bot sends several queries on black domain names due to C&C server redundancy. We use the co-occurrence relation of two different domain names to find unknown black domain names and extend the blacklist. If a domain name frequently co-occurs with a known black name, we assume that the domain name is also black. A cross-validation evaluation of the proposed method showed that 91.2% of domain names that are on the validation list scored in the top 1%.},
keywords={},
doi={10.1587/transcom.E95.B.794},
ISSN={1745-1345},
month={March},}
Copy
TY - JOUR
TI - Extending Black Domain Name List by Using Co-occurrence Relation between DNS Queries
T2 - IEICE TRANSACTIONS on Communications
SP - 794
EP - 802
AU - Kazumichi SATO
AU - Keisuke ISHIBASHI
AU - Tsuyoshi TOYONO
AU - Haruhisa HASEGAWA
AU - Hideaki YOSHINO
PY - 2012
DO - 10.1587/transcom.E95.B.794
JO - IEICE TRANSACTIONS on Communications
SN - 1745-1345
VL - E95-B
IS - 3
JA - IEICE TRANSACTIONS on Communications
Y1 - March 2012
AB - Botnet threats, such as server attacks or sending of spam e-mail, have been increasing. Therefore, infected hosts must be found and their malicious activities mitigated. An effective method for finding infected hosts is to use a blacklist of domain names. When a bot receives attack commands from a Command and Control (C&C) server, it attempts to resolve domain names of C&C servers. We can thus detect infected hosts by finding these that send queries on black domain names. However, we cannot find all infected hosts because of the inaccuracy of blacklists. There are many black domain names, and the lifetimes of these domain names are short; therefore a blacklist cannot cover all black domain names. We thus present a method for finding unknown black domain names by using DNS query data and an existing blacklist of known black domain names. To achieve this, we focus on DNS queries sent by infected hosts. One bot sends several queries on black domain names due to C&C server redundancy. We use the co-occurrence relation of two different domain names to find unknown black domain names and extend the blacklist. If a domain name frequently co-occurs with a known black name, we assume that the domain name is also black. A cross-validation evaluation of the proposed method showed that 91.2% of domain names that are on the validation list scored in the top 1%.
ER -