Building a better botnet DGA mousetrap: separating mice, rats and cheese in DNS data

Botnets and other malware are getting better and better at evading blacklisting in enterprise networks. This draft paper is about an approach for detecting such botnets or other entities, using Domain Name Service (DNS) data and machine learning. Three distinguishing features of this work are that we identify what family of blacklist-evading malware a host machine is infected with, not just that it is infected, using only DNS data as input; that we use syntactic rules in addition to machine learning; and that we currently deal with over two dozen malware families.



Print Friendly, PDF & Email
Josiah Hagen

Josiah Hagen

Security researcher at TippingPoint, applying machine learning techniques to network data.