Affiliation:
1. Symantec Research
2. Hacettepe University
3. Eurecom
4. Northeastern University
5. University of California, Santa Barbara
Abstract
A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most promising techniques to detect and blacklist domains involved in malicious activities (e.g., phishing, spam, botnets command-and-control, etc.). EXPOSURE is a system we designed to detect such domains in real time, by applying 15 unique features grouped in four categories.
We conducted a controlled experiment with a large, real-world dataset consisting of billions of DNS requests. The extremely positive results obtained in the tests convinced us to implement our techniques and deploy it as a free, online service. In this article, we present the
Exposure
system and describe the results and lessons learned from 17 months of its operation. Over this amount of time, the service detected over 100K malicious domains. The statistics about the time of usage, number of queries, and target IP addresses of each domain are also published on a daily basis on the service Web page.
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,General Computer Science
Reference47 articles.
1. Alexa. 2009. Alexa web information company. http://www.alexa.com/topsites/. Alexa. 2009. Alexa web information company. http://www.alexa.com/topsites/.
2. Amini B. 2008. Kraken botnet infiltration. http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration. Amini B. 2008. Kraken botnet infiltration. http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration.
Cited by
206 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献