Accession Number:



Leveraging Client-Side DNS Failure Patterns to Identify Malicious Behaviors

Descriptive Note:

Journal Article

Corporate Author:

Cornell University Ithaca United States

Report Date:


Pagination or Media Count:



DNS has been increasingly abused by adversaries for cyber-attacks. Recent research has leveraged DNS failures i.e. DNS queries that result in a Non-Existent-Domain response from the server to identify malware activities, especially domainflux botnets that generate many random domains as a rendezvous technique for command- and -control. Using ISP network traces, we conduct a systematic analysis of DNS failure characteristics, with the goal of uncovering how attackers exploit DNS for malicious activities. In addition to DNS failures generated by domain-flux bots, we discover many diverse and stealthy failure patterns that have received little attention. Based on these findings, we present a framework that detects diverse clusters of suspicious domain names that cause DNS failures, by considering multiple types of syntactic as well as temporal patterns. Our evolutionary learning framework evaluates the clusters produced over time to eliminate spurious cases while retaining sustaining i.e., highly suspicious clusters. One of the advantages of our framework is in analyzing DNS failures on per-client basis and not hinging on the existence of multiple clients infected by the same malware. Our evaluation on a large ISP network trace show

Subject Categories:

Distribution Statement: