Abstract

The Internet plays an important role in people’s lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so called botnet attacks. A typical botnet is composed of a bot master, a Command and Control (C&C) server and many compromised devices called bots. A bot master can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.