Thriving on chaos: Proactive detection of command and control domains in internet of things‐scale botnets using DRIFT

Thriving on chaos: Proactive detection of command and control domains in internet of things‐scale botnets using DRIFT

In this paper, we introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Transactions on emerging telecommunications technologies 2019-04, Vol.30 (4), p.n/a
Hauptverfasser: Spaulding, Jeffrey, Park, Jeman, Kim, Joongheon, Nyang, DaeHun, Mohaisen, Aziz
Format: Artikel
Sprache:eng
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page n/a
container_issue 4
container_start_page
container_title Transactions on emerging telecommunications technologies
container_volume 30
creator Spaulding, Jeffrey
Park, Jeman
Kim, Joongheon
Nyang, DaeHun
Mohaisen, Aziz
description In this paper, we introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered. Our technique serves as a tool of detection where other techniques relying on entropy or domain generating algorithms reversing are impractical. We introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things (IoT)–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered.
doi_str_mv 10.1002/ett.3505
format Article
fullrecord <record><control><sourceid>wiley_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1002_ett_3505</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>ETT3505</sourcerecordid><originalsourceid>FETCH-LOGICAL-c2995-9540b5d0764965e48c5fb268f4f53c35347df067a480d520b0abefb5a8d04f5f3</originalsourceid><addsrcrecordid>eNp1kM9KAzEQxoMoWGrBR8jRy9bsbmb_eJNqtVBQZD0v2fyxkd1EktjSm4_gM_okZq0HLw4zzAfz4xv4EDpPyTwlJLuUIcxzIHCEJllapElep3D8R5-imfevJFYJGdBqgnbNxumtNi_YGsw3zPor_Ogs40FvJRYyyKjiySrM7TAwI_A43JrgbI-FHZg2HmsTO0hnZBjRsImO_uvj03PWS9zZEA8ev_vx0c3TatmcoRPFei9nv3uKnpe3zeI-WT_crRbX64RndQ1JDZR0IEhZ0LoASSsOqsuKSlEFOc8hp6VQpCgZrYiAjHSEdVJ1wCpBIqLyKbo4-HJnvXdStW9OD8zt25S0Y2ZtzKwdM4tockB3upf7f7n2tml--G8-E2-E</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Thriving on chaos: Proactive detection of command and control domains in internet of things‐scale botnets using DRIFT</title><source>Wiley Online Library Journals Frontfile Complete</source><creator>Spaulding, Jeffrey ; Park, Jeman ; Kim, Joongheon ; Nyang, DaeHun ; Mohaisen, Aziz</creator><creatorcontrib>Spaulding, Jeffrey ; Park, Jeman ; Kim, Joongheon ; Nyang, DaeHun ; Mohaisen, Aziz</creatorcontrib><description>In this paper, we introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered. Our technique serves as a tool of detection where other techniques relying on entropy or domain generating algorithms reversing are impractical. We introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things (IoT)–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered.</description><identifier>ISSN: 2161-3915</identifier><identifier>EISSN: 2161-3915</identifier><identifier>DOI: 10.1002/ett.3505</identifier><language>eng</language><ispartof>Transactions on emerging telecommunications technologies, 2019-04, Vol.30 (4), p.n/a</ispartof><rights>2018 John Wiley &amp; Sons, Ltd.</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c2995-9540b5d0764965e48c5fb268f4f53c35347df067a480d520b0abefb5a8d04f5f3</citedby><cites>FETCH-LOGICAL-c2995-9540b5d0764965e48c5fb268f4f53c35347df067a480d520b0abefb5a8d04f5f3</cites><orcidid>0000-0003-0047-5156</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://onlinelibrary.wiley.com/doi/pdf/10.1002%2Fett.3505$$EPDF$$P50$$Gwiley$$H</linktopdf><linktohtml>$$Uhttps://onlinelibrary.wiley.com/doi/full/10.1002%2Fett.3505$$EHTML$$P50$$Gwiley$$H</linktohtml><link.rule.ids>314,776,780,1411,27901,27902,45550,45551</link.rule.ids></links><search><creatorcontrib>Spaulding, Jeffrey</creatorcontrib><creatorcontrib>Park, Jeman</creatorcontrib><creatorcontrib>Kim, Joongheon</creatorcontrib><creatorcontrib>Nyang, DaeHun</creatorcontrib><creatorcontrib>Mohaisen, Aziz</creatorcontrib><title>Thriving on chaos: Proactive detection of command and control domains in internet of things‐scale botnets using DRIFT</title><title>Transactions on emerging telecommunications technologies</title><description>In this paper, we introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered. Our technique serves as a tool of detection where other techniques relying on entropy or domain generating algorithms reversing are impractical. We introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things (IoT)–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered.</description><issn>2161-3915</issn><issn>2161-3915</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><recordid>eNp1kM9KAzEQxoMoWGrBR8jRy9bsbmb_eJNqtVBQZD0v2fyxkd1EktjSm4_gM_okZq0HLw4zzAfz4xv4EDpPyTwlJLuUIcxzIHCEJllapElep3D8R5-imfevJFYJGdBqgnbNxumtNi_YGsw3zPor_Ogs40FvJRYyyKjiySrM7TAwI_A43JrgbI-FHZg2HmsTO0hnZBjRsImO_uvj03PWS9zZEA8ev_vx0c3TatmcoRPFei9nv3uKnpe3zeI-WT_crRbX64RndQ1JDZR0IEhZ0LoASSsOqsuKSlEFOc8hp6VQpCgZrYiAjHSEdVJ1wCpBIqLyKbo4-HJnvXdStW9OD8zt25S0Y2ZtzKwdM4tockB3upf7f7n2tml--G8-E2-E</recordid><startdate>201904</startdate><enddate>201904</enddate><creator>Spaulding, Jeffrey</creator><creator>Park, Jeman</creator><creator>Kim, Joongheon</creator><creator>Nyang, DaeHun</creator><creator>Mohaisen, Aziz</creator><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0003-0047-5156</orcidid></search><sort><creationdate>201904</creationdate><title>Thriving on chaos: Proactive detection of command and control domains in internet of things‐scale botnets using DRIFT</title><author>Spaulding, Jeffrey ; Park, Jeman ; Kim, Joongheon ; Nyang, DaeHun ; Mohaisen, Aziz</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c2995-9540b5d0764965e48c5fb268f4f53c35347df067a480d520b0abefb5a8d04f5f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Spaulding, Jeffrey</creatorcontrib><creatorcontrib>Park, Jeman</creatorcontrib><creatorcontrib>Kim, Joongheon</creatorcontrib><creatorcontrib>Nyang, DaeHun</creatorcontrib><creatorcontrib>Mohaisen, Aziz</creatorcontrib><collection>CrossRef</collection><jtitle>Transactions on emerging telecommunications technologies</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Spaulding, Jeffrey</au><au>Park, Jeman</au><au>Kim, Joongheon</au><au>Nyang, DaeHun</au><au>Mohaisen, Aziz</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Thriving on chaos: Proactive detection of command and control domains in internet of things‐scale botnets using DRIFT</atitle><jtitle>Transactions on emerging telecommunications technologies</jtitle><date>2019-04</date><risdate>2019</risdate><volume>30</volume><issue>4</issue><epage>n/a</epage><issn>2161-3915</issn><eissn>2161-3915</eissn><abstract>In this paper, we introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered. Our technique serves as a tool of detection where other techniques relying on entropy or domain generating algorithms reversing are impractical. We introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things (IoT)–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered.</abstract><doi>10.1002/ett.3505</doi><tpages>1</tpages><orcidid>https://orcid.org/0000-0003-0047-5156</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 2161-3915
ispartof Transactions on emerging telecommunications technologies, 2019-04, Vol.30 (4), p.n/a
issn 2161-3915
2161-3915
language eng
recordid cdi_crossref_primary_10_1002_ett_3505
source Wiley Online Library Journals Frontfile Complete
title Thriving on chaos: Proactive detection of command and control domains in internet of things‐scale botnets using DRIFT
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-11T12%3A26%3A00IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-wiley_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Thriving%20on%20chaos:%20Proactive%20detection%20of%20command%20and%20control%20domains%20in%20internet%20of%20things%E2%80%90scale%20botnets%20using%20DRIFT&rft.jtitle=Transactions%20on%20emerging%20telecommunications%20technologies&rft.au=Spaulding,%20Jeffrey&rft.date=2019-04&rft.volume=30&rft.issue=4&rft.epage=n/a&rft.issn=2161-3915&rft.eissn=2161-3915&rft_id=info:doi/10.1002/ett.3505&rft_dat=%3Cwiley_cross%3EETT3505%3C/wiley_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true