We use cookies on this site. By browsing our site you agree to our use of cookies. Close this message Find out more

Home > Information Security home > Events > ISG Research Seminar 26 September 2012
More in this section Events articles

ISG Research Seminar 26 September 2012

26/09/2013 (11:00-12:00)

Contact: Lorenzo Cavallaro


Speaker: Stefano Schiavoni (Politenico di Milano, Italy)

Stefano received a B.Sc. and M.Sc. "summa cum laude" in Computer Engineering from Politecnico di Milano (TU Milan) in Italy. His research focused on computer security and machine learning. In particular, he tackled the problem of botnets employing domain-flux. Stefano also received a M.Sc. in Computer Science from the University of Illinois at Chicago. Since May 2013, Stefano is working as a Software Engineer at Google in London, UK.

Title: Tracking and Characterizing Botnets Using Automatically Generated Domains 


Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures that are difficult to track or deactivate. Considerable attention has been given to recognizing automatically generated domains (AGDs) from DNS traffic, in order to identify previously unknown AGDs, which helps in the task of disrupting botnets' communication capabilities.

Unfortunately, until now such approaches would require to deploy low-level DNS sensors to access data whose collection poses practical and privacy issues, making their adoption problematic. Instead, we propose a system that exploits publicly available and privacy-preserving databases of historical recursive-level DNS traffic. Analyzing such data through linguistic-based models of suspicious domains, we are able to identify automatically generated domain names, characterize their DGAs, isolate logical groups of domains that represent the respective botnets, enrich those groups with new previously unknown automatically generated domain names, and produce novel knowledge about the evolving behavior of each tracked botnet.

We evaluated our approach on millions of real-world domains, and showed that it correctly isolates families of automatically generated domains that belong to distinct DGAs, and distinguishes automatically generated from non-automatically generated domains in 94.8 percent of the cases. We will show several case studies of our system at work.


Comment on this page

Did you find the information you were looking for? Is there a broken link or content that needs updating? Let us know so we can improve the page.

Note: If you need further information or have a question that cannot be satisfied by this page, please call our switchboard on +44 (0)1784 434455.

This window will close when you submit your comment.

Add Your Feedback