The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way mapping between domain names and their numerical identifiers. Given its fundamental role, it is not surprising that a wide variety of malicious activities involve the domain name service in one way or another. For example, bots resolve DNS names to locate their command and control servers, and spam mails contain URLs that link to domains that resolve to scam servers. Thus, it seems beneficial to monitor the use of the DNS system for signs that indicate that a certain name is used as part of a malicious operation. In this paper, we introduce EXPOSURE, a system that employs large-scale, passive DNS analysis techniques to detect domains that are involved in malicious activity. We use 15 features that we extract from the DNS traffic that allow us to characterize different properties of DNS names and the ways that they are queried. Our experiments with a large, real-world data set consisting of 100 billion DNS requests, and a real-life deployment for two weeks in an ISP show that our approach is scalable and that we are able to automatically identify unknown malicious domains that are misused in a variety of malicious activity (such as for botnet command and control, spamming, and phishing).

1. M. Antonakakis, D. Dagon, X. Luo, R. Perdisci, W. Lee, and J. Bellmor. A Centralized Monitoring Infrastructure for Improving DNS Security. In Proc. 13th International Symposium on Recent Advances in Intrusion Detection (RAID), Ottawa, Ontario, Canada, Sept. 2010.
2. M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a Dynamic Reputation System for DNS. In Proc. 19th USENIX Security Symposium, Washington, DC, Aug. 2010.
3. M. Antonakakis, R. Perdisci, W. Lee, N. V. II, and D. Dagon. Detecting Malware Domains at the Upper DNS Hierarchy. In Proc. 20th USENIX Security Symposium, San Francisco, CA, Aug. 2011.
4. L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In Proc. 18th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2011.
5. A. Broido, E. Nemeth, and K. Claffy. Spectroscopy of DNS Update Traffic. ACM SIGMETRICS Performance Evaluation Review, 31(1):321, June 2003.
6. M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a Dynamic Reputation System for DNS. In19th Usenix Security Symposium, 2010.
7. Michle Basseville and Igor V. Nikiforov. Detection of Abrupt Changes - Theory and Application. PrenticeHall, 1993.
8. Ulrich Bayer, Christopher Kruegel, and Engin Kirda. TTAnalyze: A Tool for Analyzing Malware. In15th EICAR Conference, Hamburg, Germany, 2006.
9. Pavel Berkhin. Survey of clustering data mining techniques. Technical report, 2002.
10. A. P. Bradley. The use of the area under the ROC curve in the evaluation of machine learning algorithms. In Pattern Recognition, volume 30, pages 1145–1159, 1997.

Dns Domain Registration Spam Malicious Domain.