| Malware remains a major threat to today’s Internet. Detecting malwareon DNS traffic is a C&C protocol independent and yet efficient approach.In this paper, we presents our DNS-based detection algorithms which arecapable of detecting various type of malware threats. Our systems areevaluated on live DNS traffic from our campus network.First, we present our malware detection algorithm based on graphmining. We modeled domain-host relationships in DNS traffic as DNSgraph. Reputations are inferred by applying Belief Propagation algorithmon DNS graphs, and later used to detect malware domains, C&C serversand infected victims. We perform our evaluation on both DNS query-response graph generated with recursive DNS traffic, and the passive DNSgraph built on passive DNS data. Our graph mining algorithm attained atrue positive rate of80.63%with a false positive rate as low as0.023%onthe passive DNS graph. When used as a reputation system, our approach isable to achieve a true positive rate of95.66%and a false positive of1.20%. We then performed measurement on failed DNS queries, analyzingroot causes ofthose DNS failures. Based on failed DNS traffic, we designeda clustering-based apporach for DGA domain name detection. Our methodattained a true positive rate of99.82%and a false positive rate of0.39%onmanually labeled dataset.197,026DGA domain names are detected on7-day campus network traffic, with a detection precision of98.3%. At thesame time, we presented another detection algorithm targetting failedmalware C&C domains. By exploring the key characteristics of malware’sprogrammatically generated DNS queries, which are their repeating patternand fixed retry interval, our system detected3,027malware domainsaffecting249clients with a precision of92.0%.Compared with previous researches, our work has a broader detectionscope and is more efficient in implementation. Our research provides acomprehensive solution for DNS-based malware detection. |
PDF Full Text Request