![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Academic notes: "Detecting malware domains at the upper DNS hierarchy"
This is the first in my series of short notes on the academic papers I'm reading. This is a paper we read for seminar last week, and I chose to review it here not only because the results are interesting but also because it's a highly readable paper in case any of you get curious and want to read along with me.
Detecting malware domains at the upper DNS hierarchy
Antonakakis, M. et al, 2011
This paper is all about detection of malware using DNS. It turns out that while "normal" domains are accessed by machines that have patterns of geographical and network locations, malware domains are accessed by a bunch of zombie machines that could pop up anywhere on any network so the dns requests are a lot more random. So if you look at DNS, you can figure out what domains are being used by malware, and you can do it on the fly as domains change without needing a manually created blacklist.
It's a pretty neat trick. Malware authors could potentially get around it by adding in more clever requests -- doing something more like facebook or google which route you to "close" servers to provide good quality of service -- but until they do, this could be a handy supplement to existing malware detection. Reminds me a lot of greylisting that way.
Detecting malware domains at the upper DNS hierarchy
Antonakakis, M. et al, 2011
This paper is all about detection of malware using DNS. It turns out that while "normal" domains are accessed by machines that have patterns of geographical and network locations, malware domains are accessed by a bunch of zombie machines that could pop up anywhere on any network so the dns requests are a lot more random. So if you look at DNS, you can figure out what domains are being used by malware, and you can do it on the fly as domains change without needing a manually created blacklist.
It's a pretty neat trick. Malware authors could potentially get around it by adding in more clever requests -- doing something more like facebook or google which route you to "close" servers to provide good quality of service -- but until they do, this could be a handy supplement to existing malware detection. Reminds me a lot of greylisting that way.
@INPROCEEDINGS{antonakakis2011dnsmalware,
author = {Antonakakis, M. and Perdisci, R. and Lee, W. and Vasiloglou II, N. and Dagon, D.},
title = {Detecting malware domains at the upper DNS hierarchy},
booktitle = {Proc. of the 20th USENIX Security Symposium, USENIX Security},
year = {2011},
volume = {11},
pages = {27--27}
}