@InProceedings{Zhang16b,
	author = 	"Han Zhang and Manaf Gharaibeh and Spiros
 Thanasoulas and Christos Papadopoulos",
	title = 	"BotDigger: Detecting DGA Bots in a Single Network",
	booktitle = 	"Proceedings of the " # " IEEE International Conference on Traffic Monitoring and Analysis",
	year = 		2016,
	sortdate = 		"2016-04-08",
	project = "ant, lacrend, retrofuture",
	pages = 	"16--21",
	month = 	apr,
	address = 	"Louvain La Neuve, Belgium",
	publisher = 	"IEEE",
	jlocation = 	"johnh: pafile",
	keywords = 	"DGA, uses lander, domain name generation, dns",
	doi = 	"http://dx.doi.org/10.1109/ICIMP.2010.11",
	url = 	"http://www.cs.colostate.edu/~hanzhang/papers/BotDigger-TMA16.pdf",
	abstract = "
To improve the resiliency of communication between bots and C&C servers,
bot masters began utilizing Domain Generation Algorithms (DGA) in recent
years. Many systems have been introduced to detect DGA-based botnets. How-
ever, they su↵er from several limitations, such as requiring DNS traffic collected
across many networks, the presence of multiple bots from the same botnet, and
so forth. These limitations make it very hard to detect individual bots when
using traffic collected from a single network. In this paper, we introduce BotDig-
ger, a system that detects DGA-based bots using DNS traffic without a priori
knowledge of the domain generation algorithm. BotDigger utilizes a chain of
evidence, including quantity, temporal and linguistic evidence to detect an indi-
vidual bot by only monitoring traffic at the DNS servers of a single network. We
evaluate BotDigger’s performance using traces from two DGA-based botnets:
Kraken and Conflicker. Our results show that BotDigger detects all the Kraken
bots and 99.8\% of Conficker bots. A one-week DNS trace captured from our uni-
versity and three traces collected from our research lab are used to evaluate false
positives. The results show that the false positive rates are 0.05\% and 0.39\% for
these two groups of background traces, respectively."
}

%	correcttitle = "{T-DNS}: Connection-Oriented {DNS} to Improve Privacy and Security",

{"_id":"jGsRCXF9fgtSKdJki","bibbaseid":"zhang-gharaibeh-thanasoulas-papadopoulos-botdiggerdetectingdgabotsinasinglenetwork-2016","author_short":["Zhang, H.","Gharaibeh, M.","Thanasoulas, S.","Papadopoulos, C."],"bibdata":{"bibtype":"inproceedings","type":"inproceedings","author":[{"firstnames":["Han"],"propositions":[],"lastnames":["Zhang"],"suffixes":[]},{"firstnames":["Manaf"],"propositions":[],"lastnames":["Gharaibeh"],"suffixes":[]},{"firstnames":["Spiros"],"propositions":[],"lastnames":["Thanasoulas"],"suffixes":[]},{"firstnames":["Christos"],"propositions":[],"lastnames":["Papadopoulos"],"suffixes":[]}],"title":"BotDigger: Detecting DGA Bots in a Single Network","booktitle":"Proceedings of the IEEE International Conference on Traffic Monitoring and Analysis","year":"2016","sortdate":"2016-04-08","project":"ant, lacrend, retrofuture","pages":"16–21","month":"April","address":"Louvain La Neuve, Belgium","publisher":"IEEE","jlocation":"johnh: pafile","keywords":"DGA, uses lander, domain name generation, dns","doi":"http://dx.doi.org/10.1109/ICIMP.2010.11","url":"http://www.cs.colostate.edu/~hanzhang/papers/BotDigger-TMA16.pdf","abstract":"To improve the resiliency of communication between bots and C&C servers, bot masters began utilizing Domain Generation Algorithms (DGA) in recent years. Many systems have been introduced to detect DGA-based botnets. How- ever, they su↵er from several limitations, such as requiring DNS traffic collected across many networks, the presence of multiple bots from the same botnet, and so forth. These limitations make it very hard to detect individual bots when using traffic collected from a single network. In this paper, we introduce BotDig- ger, a system that detects DGA-based bots using DNS traffic without a priori knowledge of the domain generation algorithm. BotDigger utilizes a chain of evidence, including quantity, temporal and linguistic evidence to detect an indi- vidual bot by only monitoring traffic at the DNS servers of a single network. We evaluate BotDigger’s performance using traces from two DGA-based botnets: Kraken and Conflicker. Our results show that BotDigger detects all the Kraken bots and 99.8% of Conficker bots. A one-week DNS trace captured from our uni- versity and three traces collected from our research lab are used to evaluate false positives. The results show that the false positive rates are 0.05% and 0.39% for these two groups of background traces, respectively.","bibtex":"@InProceedings{Zhang16b,\n\tauthor = \t\"Han Zhang and Manaf Gharaibeh and Spiros\n Thanasoulas and Christos Papadopoulos\",\n\ttitle = \t\"BotDigger: Detecting DGA Bots in a Single Network\",\n\tbooktitle = \t\"Proceedings of the \" # \" IEEE International Conference on Traffic Monitoring and Analysis\",\n\tyear = \t\t2016,\n\tsortdate = \t\t\"2016-04-08\",\n\tproject = \"ant, lacrend, retrofuture\",\n\tpages = \t\"16--21\",\n\tmonth = \tapr,\n\taddress = \t\"Louvain La Neuve, Belgium\",\n\tpublisher = \t\"IEEE\",\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"DGA, uses lander, domain name generation, dns\",\n\tdoi = \t\"http://dx.doi.org/10.1109/ICIMP.2010.11\",\n\turl = \t\"http://www.cs.colostate.edu/~hanzhang/papers/BotDigger-TMA16.pdf\",\n\tabstract = \"\nTo improve the resiliency of communication between bots and C&C servers,\nbot masters began utilizing Domain Generation Algorithms (DGA) in recent\nyears. Many systems have been introduced to detect DGA-based botnets. How-\never, they su↵er from several limitations, such as requiring DNS traffic collected\nacross many networks, the presence of multiple bots from the same botnet, and\nso forth. These limitations make it very hard to detect individual bots when\nusing traffic collected from a single network. In this paper, we introduce BotDig-\nger, a system that detects DGA-based bots using DNS traffic without a priori\nknowledge of the domain generation algorithm. BotDigger utilizes a chain of\nevidence, including quantity, temporal and linguistic evidence to detect an indi-\nvidual bot by only monitoring traffic at the DNS servers of a single network. We\nevaluate BotDigger’s performance using traces from two DGA-based botnets:\nKraken and Conflicker. Our results show that BotDigger detects all the Kraken\nbots and 99.8\\% of Conficker bots. A one-week DNS trace captured from our uni-\nversity and three traces collected from our research lab are used to evaluate false\npositives. The results show that the false positive rates are 0.05\\% and 0.39\\% for\nthese two groups of background traces, respectively.\"\n}\n\n%\tcorrecttitle = \"{T-DNS}: Connection-Oriented {DNS} to Improve Privacy and Security\",\n","author_short":["Zhang, H.","Gharaibeh, M.","Thanasoulas, S.","Papadopoulos, C."],"bibbaseid":"zhang-gharaibeh-thanasoulas-papadopoulos-botdiggerdetectingdgabotsinasinglenetwork-2016","role":"author","urls":{"Paper":"http://www.cs.colostate.edu/~hanzhang/papers/BotDigger-TMA16.pdf"},"keyword":["DGA","uses lander","domain name generation","dns"],"metadata":{"authorlinks":{}}},"bibtype":"inproceedings","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["dga","uses lander","domain name generation","dns"],"search_terms":["botdigger","detecting","dga","bots","single","network","zhang","gharaibeh","thanasoulas","papadopoulos"],"title":"BotDigger: Detecting DGA Bots in a Single Network","year":2016}