Detecting Botnet Activities Based on Abnormal DNS traffic

IThe botnet is considered as a critical issue of the Internet due to its fast growing mechanism and affect. Recently, Botnets have utilized the DNS and query DNS server just like any legitimate hosts. In this case, it is difficult to distinguish between the legitimate DNS traffic and illegitimate DNS traffic. It is important to build a suitable solution for botnet detection in the DNS traffic and consequently protect the network from the malicious Botnets activities. In this paper, a simple mechanism is proposed to monitors the DNS traffic and detects the abnormal DNS traffic issued by the botnet based on the fact that botnets appear as a group of hosts periodically. The proposed mechanism is also able to classify the DNS traffic requested by group of hosts (group behavior) and single hosts (individual behavior), consequently detect the abnormal domain name issued by the malicious Botnets. Finally, the experimental results proved that the proposed mechanism is robust and able to classify DNS traffic, and efficiently detects the botnet activity with average detection rate of 89 percent.

💡 Research Summary

The paper addresses the growing threat of botnets that have increasingly adopted the Domain Name System (DNS) as a covert command‑and‑control (C2) channel. Because DNS queries from compromised machines look indistinguishable from legitimate traffic, traditional intrusion detection systems struggle to separate malicious from benign activity. To tackle this problem, the authors propose a lightweight, rule‑based detection mechanism that monitors DNS traffic in real time and classifies it into two behavioral categories: “group behavior” (multiple hosts querying the same domain periodically) and “individual behavior” (a single host exhibiting anomalous query patterns).

The system architecture consists of three main components. First, a DNS log collector captures every query’s source IP, queried domain name, timestamp, and TTL value. Second, a behavior‑analysis engine processes the logs within a sliding time window (e.g., five minutes). For group behavior, the engine counts how many distinct IP addresses query the same domain within the window and checks whether the inter‑query intervals follow a roughly regular period. If the number of distinct IPs exceeds a configurable threshold N and the period variance is below a second‑level threshold, the domain is flagged as a “group‑queried” candidate. For individual behavior, the engine looks for unusually high query rates from a single IP (e.g., more than M queries per second) or for domain names that deviate from normal lexical patterns (excessive length, high numeric‑character ratio, deep sub‑domain nesting, or abnormal TTL fluctuations).

Both categories are then cross‑checked against a curated blacklist of known malicious domains. In addition, the system applies heuristic filters based on domain‑name structure (length, character distribution) and TTL stability to reduce false positives. The overall workflow is deliberately simple: no deep packet inspection, no statistical modeling, and no machine‑learning classifiers are required, which makes the solution suitable for high‑speed, large‑scale networks.

To evaluate the approach, the authors built a testbed that combined a real campus network with a virtualized botnet simulator. The simulator reproduced the behavior of real‑world DNS‑based botnets, periodically issuing queries to a set of command domains. Normal traffic was generated by typical user activities such as web browsing, email, and cloud service usage. Over a series of experiments, the detection mechanism achieved an average detection rate of 89 % across all scenarios. Group‑behavior detection performed slightly better (≈ 92 % true‑positive rate) because the synchronized nature of botnet queries is easier to spot. Individual‑behavior detection yielded a lower true‑positive rate of about 85 %, reflecting the difficulty of distinguishing a single compromised host from legitimate high‑frequency users. The reported false‑positive rate was roughly 4 % of total traffic, primarily caused by large content‑delivery networks (CDNs) that legitimately generate many concurrent queries to the same domain.

The authors discuss why the method works: botnets tend to act as coordinated clusters, issuing the same DNS request at regular intervals to locate their C2 server. By focusing on this temporal and spatial correlation, the system can flag malicious activity without needing to inspect payloads. However, the paper also acknowledges several limitations. The detection relies heavily on periodicity; modern botnets that randomize query timing or employ domain‑flux techniques could evade the rules. The rule‑based approach also depends on an up‑to‑date blacklist; newly generated domains would not be caught until the list is refreshed. Moreover, the experimental description lacks details about dataset size, diversity, and the statistical significance of the results, making reproducibility difficult. The authors note that legitimate services with high query volumes (e.g., popular CDNs, large SaaS platforms) can trigger false alarms, suggesting that additional context (such as known service IP ranges) would be needed for production deployment.

In conclusion, the paper demonstrates that a simple, real‑time analysis of DNS logs—focused on group versus individual query patterns—can achieve respectable detection performance against DNS‑based botnets, with an average detection rate of 89 %. The work contributes a pragmatic alternative to heavyweight machine‑learning solutions, especially for environments where computational resources are limited. For future research, the authors propose integrating statistical anomaly detection or lightweight machine‑learning classifiers to capture non‑periodic botnet behavior, expanding the evaluation to diverse network topologies and longer observation periods, and developing automated mechanisms for maintaining the malicious‑domain blacklist. Such extensions would address the current method’s susceptibility to evasion and improve its applicability in real‑world operational settings.