The never-ending menace of botnet is causing many serious problems on the Internet. Although there are significant efforts on detecting botnet at the global level which rely heavily on finding failed queries and domain flux information for botnet detection, there are very few efforts being made to detect bot infection at an enterprise level. Detecting bot-infected machines is vital for any organization in combating various security threats. This work proposes a novel anomaly-based detection technique which considers hourly hosts DNS fingerprint and attempts to find anomalous behavior which is quite different from normal machine behavior. This work successfully demonstrates the DNS Anomaly Detection (named BotDAD) technique for detecting bot-infected machine in a network using DNS fingerprinting.

僵尸网络无休止的威胁正在互联网上引起许多严重的问题。尽管在全球范围内对检测僵尸网络进行了大量工作，而在很大程度上依赖于查找失败的查询和域通量信息来进行僵尸网络检测，但是在企业级别检测僵尸病毒感染的工作却很少。对于任何组织来说，检测受bot感染的机器对于应对各种安全威胁都是至关重要的。这项工作提出了一种新颖的基于异常的检测技术，该技术考虑了每小时主机的DNS指纹，并尝试查找与正常计算机行为完全不同的异常行为。这项工作成功地演示了DNS异常检测（称为BotDAD）技术，该技术可使用DNS指纹识别来检测网络中被僵尸感染的计算机。