A Clustering Approach for Detecting Auto-generated Botnet Domains

Domain fluxing is a general method for botnet operators to control the victims and escape detection. Botnets based on domain fluxing, such as Conficker, Torpig, Kraken, generate a unique list of domain names based on a predefined domain generation algorithm (DGA). If the algorithm is known in advance, it is easy to identify and block botnet traffic. Unfortunately, exploiting details about the algorithm requires reverse-engineering technology and that is not always feasible. In this paper, we propose a methodology to detect auto-generated domains by measuring the disparity between auto-generated domains and normal domains. The idea is based on the observation that the normal domain names differ from auto-generated domain names in readability, randomness etc., because botnet don't use well-formed words which is highly likely registered. Clustering algorithm is used to group auto-generated domains into several separated clusters and normal domains into other clusters. As shown in the validation and experiment phase, we prove this method can detect DGA domains with high performance.