Identifying botnets by capturing group activities in DNS traffic

Hyunsang Choi, Heejo Lee

Research output: Contribution to journalArticlepeer-review

107 Citations (Scopus)


Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, existing approaches can be overwhelmed by the large amount of data needed to be analyzed. In this paper, we propose a light-weight mechanism to detect botnets using their fundamental characteristics, i.e., group activity. The proposed mechanism, referred to as BotGAD (botnet group activity detector) needs a small amount of data from DNS traffic to detect botnet, not all network traffic content or known signatures. BotGAD can detect botnets from a large-scale network in real-time even though the botnet performs encrypted communications. Moreover, BotGAD can detect botnets that adopt recent evasion techniques. We evaluate BotGAD using multiple DNS traces collected from different sources including a campus network and large ISP networks. The evaluation shows that BotGAD can automatically detect botnets while providing real-time monitoring in large scale networks.

Original languageEnglish
Pages (from-to)20-33
Number of pages14
JournalComputer Networks
Issue number1
Publication statusPublished - 2012 Jan 12

Bibliographical note

Funding Information:
This research was supported by the MKE, Korea, under the ITRC support program supervised by the NIPA (NIPA-2011-C1090-1131-0005) and the Seoul R&BD Program (WR080951). The preliminary version of this paper was presented in IEEE CIT [1] and COMSWARE [2] .


  • Botnet
  • DNS
  • Group activity

ASJC Scopus subject areas

  • Computer Networks and Communications


Dive into the research topics of 'Identifying botnets by capturing group activities in DNS traffic'. Together they form a unique fingerprint.

Cite this