Predentifier: Detecting Botnet C&C Domains From Passive DNS Data

Tilman Frosch, Marc Kührer, Thorsten Holz

Advances in IT Early Warning, Fraunhofer Verlag, February 2013. ISBN: 978-3-8396-0474-8


The Domain Name System (DNS) is mainly used for benign and legitimate Internet activities. Nevertheless, it also facilitates malicious intentions. Domain names have started to play an increasingly important role in the Command and Control (C&C) infrastructure of botnets. These domains can be added to blocklists or taken down, yet attackers can simply evade the countermeasures by creating hundreds of new domains every day.

To detect C&C domains at an early stage, we propose a framework called Predentifier that combines a host’s DNS configuration properties with secondary data to derive a set of distinctive features that can be used to describe the behavior of a host. We employ methods of statistical learning to determine whether a domain belongs to a C&C server or if it is benign. We further show that it is possible to leverage passive DNS data to identify C&C domains without infringing on employment or customer rights.

[Book Website] [PDF]

tags: botnet detection, machine learning, passive DNS