EXPOSURE: A Passive DNS Analysis Service to Detect and Report Malicious Domains

Bilge L., Sen S., Balzarotti D., Kirda E., Kruegel C.

ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY, vol.16, no.4, 2014 (SCI-Expanded) identifier identifier


A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most promising techniques to detect and blacklist domains involved in malicious activities (e.g., phishing, spam, botnets command-and-control, etc.). EXPOSURE is a system we designed to detect such domains in real time, by applying 15 unique features grouped in four categories.