Detecting bot-infected machines based on analyzing the similar periodic DNS queries

Modern botnets such as Zeus and Conficker commonly utilize a technique called domain fluxing or a Domain Generation Algorithm (DGA) to generate a large number of pseudo-random domain names dynamically for botnet operators to control their bots. These botnets are becoming one of the most serious threats to the Internet security on a global scale. In this paper, we present a method based on analyzing the similar periodic time intervals series of DNS queries to identify DGA-bot infected machines. This method passively captures all DNS traffic from the gateway of monitor network. Firstly, we group queries of the same domain name that is requested by hosts, and then extracts time interval series between adjacent queries. Secondly, we measure the similar periodicity of DNS queries by calculating the squared Euclidean distance between each pair of their time interval series. Finally, we apply a hierarchical clustering algorithm to cluster high similar domain names. The experiment results show that the domain names are generated by the same botnet or DGA would be grouped into the same cluster, thus all of the hosts that query to these clusters are marked as compromised hosts running a domain-flux botnet within monitor network.