BotCVD: Visual analysis of DNS traffic for botnet detection

Botnets become one of the serious threats to the Internet. In this paper, we design a light-weighted approach-BotCVD (Bot Cluster Visual Detector) to detect botnet by visually analyzing DNS traffic. To avoid the confusion of the normal DNS traffic, BotCVD analyzes the features of server-host pairs instead of single hosts. Since bots in the same botnet behave similarly in DNS queries, BotCVD visually cluster server-host pairs by computing the dissimilarity matrix of server-host pairs. Through an ordered dissimilarity image, BotCVD could clearly show botnet clusters and detect the infected hosts and malicious servers. Experimental results on real-world network traces merged with synthetic botnet traces indicate that BotCVD can (i) visualize botnet clusters and (ii) detect botnets with a high detection rate and a low false positive rate.