EXPOSURE, a system that15 features that we extract from the DNS traffic that allow
employs large-scale, passive DNS analysis techniques to
detect domains that are involved in malicious activity. We
use
us to characterize different properties of DNS names
and the ways that they are queried.
Our experiments with a large, real-world data set consisting
of 100 billion DNS requests, and a real-life deployment
for two weeks in an ISP show that our approach is
scalable and that we are able to automatically identify unknown
malicious domains that are misused in a variety of
malicious activity (such as for botnet command and control,
spamming, and phishing).
The domain name service (DNS) plays an important role
in the operation of the Internet, providing a two-way mapping
between domain names and their numerical identifiers.
Given its fundamental role, it is not surprising that a wide
variety of malicious activities involve the domain name service
in one way or another. For example, bots resolve DNS
names to locate their command and control servers, and
spam mails contain URLs that link to domains that resolve
to scam servers. Thus, it seems beneficial to monitor the
use of the DNS system for signs that indicate that a certain
name is used as part of a malicious operation.
In this paper, we introduce