Premium
Thriving on chaos: Proactive detection of command and control domains in internet of things‐scale botnets using DRIFT
Author(s) -
Spaulding Jeffrey,
Park Jeman,
Kim Joongheon,
Nyang DaeHun,
Mohaisen Aziz
Publication year - 2019
Publication title -
transactions on emerging telecommunications technologies
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.366
H-Index - 47
ISSN - 2161-3915
DOI - 10.1002/ett.3505
Subject(s) - botnet , computer science , malware , command and control , concept drift , domain (mathematical analysis) , the internet , feature (linguistics) , thriving , internet of things , domain name , data mining , computer security , artificial intelligence , world wide web , telecommunications , mathematical analysis , linguistics , philosophy , social science , mathematics , data stream mining , sociology
In this paper, we introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered. Our technique serves as a tool of detection where other techniques relying on entropy or domain generating algorithms reversing are impractical.