Texas A&M officials say Reddy's method looks at the pattern and distribution of alphabetic characters in a domain name to determine whether it's malicious or legitimate. This allows them to spot botnets' algorithmically generated domain names.
"Our method analyzes only DNS traffic and hence is easily scalable to large networks," said Reddy. "It can detect previously unknown botnets by analyzing a small fraction of the network traffic."
Botnets using both IP fast-flux and domain fast-flux can also be detected by the proposed technique, according to Reddy. IP fast-flux is a round-robin method where malicious websites are constantly rotated across several IP addresses, changing their DNS records to prevent their discovery by researchers, ISPs or law enforcement. Reddy's new detection method discovered two new botnets with their method. One of the new botnets generates 57 character long random names and the second botnet generates names using a concatenation of two dictionary words.
CERT, a nationwide network security coordination lab based at Carnegie Mellon University, is building a tool based on Reddy's technique and plans to distribute it for public use.
Read more about data protection in CSOonline's Data Protection section.