Efficiency of Malware Detection Based on DNS Packet Analysis Over Real Network Traffic

Abstract

Domain names queried by infected network terminals to domain name system (DNS) servers may reveal connection attempts to some command and control (C&C) server, which makes DNS-based malware detection a well-established technique in network security. Such a technique clearly is the only one available when the analysis is performed on DNS server logs. Today, however, intrusion detection approaches that analyze the entire network traffic generated by an endpoint are becoming increasingly popular. In this paper, we assess the effectiveness of DNS-based malware detection even when working over the entire network traffic. We consider malware detection techniques exploiting neural network-based DNS packet analysis and study their effectiveness in detecting malware from real network traffic generated by an infected terminal, also identifying under which conditions they achieve their best detection performance.