CODDULM: An approach for detecting C&C domains of DGA on passive DNS traffic

Abstract

Domain plays an important role as one of the components on the Internet, so more and more malicious behavior has been conducted by using domains, such as spam, botnet, phishing and the like. DGA (Domain Generation Algorithm), one kind of DNS technology, has been used by domain-flux commonly in botnets. In this paper, we propose a method called CODDULM (C&c domains Of Dga Detection Using Lexical feature and sparse Matrix). Firstly, it finds the NXDomains (Non-existent domains) on the passive DNS traffic to locate the suspicious infected hosts. Secondly, it selects DGA domains by lexical features according to suspicious infected hosts. Lastly, it discovers DGA C&C (Command and Control) domains through SVM (Support Vector Machine algorithm) classifier. At the end of this paper, we conduct the experiment to verify the effect of the method and the high accuracy of it.