• DocumentCode
    680130
  • Title

    Botnet detection based on DNS records and active probing

  • Author

    Prieto, Iria ; Magana, Eduardo ; Morato, Daniel ; Izal, Mikel

  • Author_Institution
    Public University of Navarre, Campus Arrosadia, 31006 Pamplona, Spain
  • fYear
    2011
  • fDate
    18-21 July 2011
  • Firstpage
    307
  • Lastpage
    316
  • Abstract
    Computers connected to Internet are constantly threatened by different types of malware. One of the most important malware are botnets that convert infected computers into agents that follow actions instructed by a command-and-control server. A botmaster can control thousands of agents. This means a significant capacity to accomplish any kind of network attack (DoS), email spam or phishing. In this paper, communication peculiarities with the command-and-control server are used to provide an identification of computers infected by a botnet. This identification is based mainly in DNS records of registered domains where command-and-control servers are hosted. Therefore, processing overhead is reduced avoiding per packet or per flow network supervision.
  • Keywords
    Correlation; Electronic mail; Measurement; Microcomputers; Ports (Computers); Proposals; Protocols; Botnet; Command and control; DNS record; Domain name; WHOIS;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Security and Cryptography (SECRYPT), 2011 Proceedings of the International Conference on
  • Conference_Location
    Seville, Spain
  • Type

    conf

  • Filename
    6732404
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=680130