Thriving on chaos: Proactive detection of command and control domains in internet of things-scale botnets using DRIFT

초록

In this paper, we introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things-scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference-based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered. Our technique serves as a tool of detection where other techniques relying on entropy or domain generating algorithms reversing are impractical.