Detection of botnet collusion by degree distribution of domains

Malicious botnets threaten the Internet by DDoS-attacks, spam, information theft and other criminal activities. They are using increasingly sophisticated techniques to hide the Command and Control traffic. Many existing detection techniques can be defeated by encryption, tunneling in popular protocols, delays, and flow perturbation. We introduce a new DNS-based detection approach, that detects botnet collusion by anomalies in the degree distribution of visited domains, without any assumption about message content and statistical properties of the traffic. The proposed technique is difficult to evade, without major changes in the bot Command and Control Infrastructure or reduced utility. We evaluate evasion possibilities, derive a theoretical model of the detector performance and test the detector with a combination of captured Internet traffic and simulated botnet-traffic.