Detecting domain flux through patterns of domain names' alphanumeric characters and querying behavior of hosts

The technique of domain flux has been used by many botnets to avoid being blocked by domain blacklists. A new technique is proposed to detect botnets by analyzing the patterns inherent to domains that comprise alphanumeric characters and query behavior of hosts. The method analyzes failed domain queries through support vector machine (SVM) to identify suspicious compromised hosts. Clustering analyses are then performed to generate new successful domains and the groups of hosts that query these domains, and to examine if these host groups are composed of compromised hosts. Then, the command and control (C&C) domains and related IP addresses used by botnets are detected. Experimental results show that the accuracy of SVM prediction reaches more than 98.5% after training, and that the system can accurately detect compromised hosts and IP of C&C servers when DNS traffic from the ISP is monitored.