EXPOSURE: a passive DNS analysis service to detect and report malicious domains

Bilge, Leyla; Sen, Sevil; Balzarotti, Engin Kirda, Christopher Kruegel
ACM Transactions on Information and System Security (TISSEC), Volume 16, N°4, April 2014, ISSN: 1094-9224

A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most promising technique to detect and blacklist domains involved in malicious activities (e.g., phishing, SPAM, botnets command and control, etc.). EXPOSURE is a system we designed to detect such domains in realtime, by applying 15 unique features grouped in 4 categories. We conducted a controlled experiment with a large, real-world data set consisting of billions of DNS requests. The extremely positive results obtained in the tests convinced us to implement our techniques and deploy it as a free, online service. In this paper, we present the EXPOSURE system and describe the results and the lessons learned from 17 months of operation of it. Over this amount of time, the service
detected over 100K malicious domains. The statistics about the time of usage, number of queries, and target IP addresses of each domain are also published on a daily basis on the service webpage.

DOI
Type:
Journal
Date:
2014-01-22
Department:
Digital Security
Eurecom Ref:
4209
Copyright:
© ACM, 2014. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Transactions on Information and System Security (TISSEC), Volume 16, N°4, April 2014, ISSN: 1094-9224 http://dx.doi.org/10.1145/2584679

PERMALINK : https://www.eurecom.fr/publication/4209