@article {18499, title = {Building a dynamic reputation system for DNS}, journal = {19th Usenix Security Symposium}, year = {2010}, month = {2010///}, abstract = {The Domain Name System (DNS) is an essential protocolused by both legitimate Internet applications and cyber at- tacks. For example, botnets rely on DNS to support agile com- mand and control infrastructures. An effective way to disrupt these attacks is to place malicious domains on a {\textquotedblleft}blocklist{\textquotedblright} (or {\textquotedblleft}blacklist{\textquotedblright}) or to add a filtering rule in a firewall or net- work intrusion detection system. To evade such security coun- termeasures, attackers have used DNS agility, e.g., by using new domains daily to evade static blacklists and firewalls. In this paper we propose Notos, a dynamic reputation system for DNS. The premise of this system is that malicious, agile use of DNS has unique characteristics and can be distinguished from legitimate, professionally provisioned DNS services. No- tos uses passive DNS query data and analyzes the network and zone features of domains. It builds models of known legit- imate domains and malicious domains, and uses these models to compute a reputation score for a new domain indicative of whether the domain is malicious or legitimate. We have eval- uated Notos in a large ISP{\textquoteright}s network with DNS traffic from 1.4 million users. Our results show that Notos can identify malicious domains with high accuracy (true positive rate of 96.8\%) and low false positive rate (0.38\%), and can identify these domains weeks or even months before they appear in public blacklists. }, author = {Antonakakis,M. and Perdisci,R. and Dagon,D. and Lee,W. and Feamster, Nick} }