Trapping botnets by DNS failure graphs: Validation, extension and application to a 3G network

In the last years, botnets have become one of the major sources of cyber-crime activities carried out via the public Internet. Typically, they may serve a number of different malicious activities such as Distributed Denial of Service (DDoS) attacks, email spam and phishing attacks. In this paper we validate the Domain Name System (DNS) failure graph approach presented earlier in [1]. In our work we apply this approach in an operational 3G mobile network serving a significantly larger user population.Based on the introduction of stable host identifiers we implement a novel approach to the tracking of botnets over a period of several weeks. Our results reveal the presence of several groups of hosts that are members of botnets. We analyze the host groups exhibiting the most suspicious behavior and elaborate on how these participate in botnets and other malicious activities. In the last part of this work we discuss how the accuracy of our detection approach could be improved in the future by correlating the knowledge obtained from applying our method in different networks.