{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,3]],"date-time":"2026-03-03T21:58:37Z","timestamp":1772575117127,"version":"3.50.1"},"reference-count":18,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2018,5,18]],"date-time":"2018-05-18T00:00:00Z","timestamp":1526601600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Ministry of Science and Technology","award":["KC.01.05\/16-20"],"award-info":[{"award-number":["KC.01.05\/16-20"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>In recent years, botnets have become one of the major threats to information security because they have been constantly evolving in both size and sophistication. A number of botnet detection measures, such as honeynet-based and Intrusion Detection System (IDS)-based, have been proposed. However, IDS-based solutions that use signatures seem to be ineffective because recent botnets are equipped with sophisticated code update and evasion techniques. A number of studies have shown that abnormal botnet detection methods are more effective than signature-based methods because anomaly-based botnet detection methods do not require pre-built botnet signatures and hence they have the capability to detect new or unknown botnets. In this direction, this paper proposes a botnet detection model based on machine learning using Domain Name Service query data and evaluates its effectiveness using popular machine learning techniques. Experimental results show that machine learning algorithms can be used effectively in botnet detection and the random forest algorithm produces the best overall detection accuracy of over 90%.<\/jats:p>","DOI":"10.3390\/fi10050043","type":"journal-article","created":{"date-parts":[[2018,5,21]],"date-time":"2018-05-21T04:07:30Z","timestamp":1526875650000},"page":"43","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":95,"title":["Botnet Detection Based On Machine Learning Techniques Using DNS Query Data"],"prefix":"10.3390","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2566-7704","authenticated-orcid":false,"given":"Xuan Dau","family":"Hoang","sequence":"first","affiliation":[{"name":"Posts and Telecommunications Institute of Technology, Hanoi 100000, Vietnam"}]},{"given":"Quynh Chi","family":"Nguyen","sequence":"additional","affiliation":[{"name":"Samsung SVMC, Hanoi 100000, Vietnam"}]}],"member":"1968","published-online":{"date-parts":[[2018,5,18]]},"reference":[{"key":"ref_1","unstructured":"Authority of Information Security (2016). The 2016 Vietnam Information Security Report, Authority of Information Security, MIC."},{"key":"ref_2","unstructured":"Ferguson, R. (2018, February 01). The History of the Botnet. Available online: http:\/\/countermeasures.trendmicro.eu\/the-history-of-the-botnet-part-i\/."},{"key":"ref_3","first-page":"1541","article-title":"A survey of botnet detection based on DNS","volume":"28","author":"Alieyan","year":"2017","journal-title":"Nat. Comput. Appl. Forum"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Li, X., Wang, J., and Zhang, X. (2017). Botnet Detection Technology Based on DNS. J. Future Internet, 9.","DOI":"10.3390\/fi9040055"},{"key":"ref_5","unstructured":"Ramachandran, A., Feamster, N., and Dagon, D. (2006, January 7). Revealing botnet membership using DNSBL counter-intelligence. Proceedings of the 2nd USENIX: Steps to Reducing Unwanted Traffic on the Internet, San Jose, CA, USA."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Villamari-Salomo, R., and Brustoloni, J.C. (2008, January 10\u201312). Identifying botnets using anomaly detection techniques applied to DNS traffic. Proceedings of the 5th IEEE consumer communications and networking conference (CCNC 2008), Las Vegas, NV, USA.","DOI":"10.1109\/ccnc08.2007.112"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Perdisci, R., Corona, I., Dagon, D., and Lee, W. (2009, January 7\u201311). Detecting malicious flux service networks through passive analysis of recursive DNS traces. Proceedings of the Annual Computer Security Applications Conference, Honolulu, HI, USA.","DOI":"10.1109\/ACSAC.2009.36"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Yadav, S., Reddy, A.K.K., Reddy, A., and Ranjan, S. (2010, January 1\u201330). Detecting algorithmically generated malicious domain names. Proceedings of the 10th ACM sigcomm Conference on Internet Measurement, Melbourne, Australia.","DOI":"10.1145\/1879141.1879148"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Stalmans, E., and Irwin, B. (2011, January 15\u201317). A framework for DNS based detection and mitigation of malware infections on a network. Proceedings of the 2011 Information Security for South Africa (ISSA), Johannesburg, South Africa.","DOI":"10.1109\/ISSA.2011.6027531"},{"key":"ref_10","unstructured":"Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., and Dagon, D. (2011, January 8). Detecting malware domains at the upper DNS hierarchy. Proceedings of the USENIX security symposium, San Francisco, CA, USA."},{"key":"ref_11","unstructured":"Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. (2011). Exposure: Finding Malicious Domains Using Passive DNS Analysis, NDSS."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Jiang, N., Cao, J., Jin, Y., Li, L., and Zhang, Z.L. (2010, January 5\u20138). Identifying suspicious activities through DNS failure graph analysis. Proceedings of the18th IEEE International Conference on Network Protocols (ICNP), Kyoto, Japan.","DOI":"10.1109\/ICNP.2010.5762763"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Kheir, N., Tran, F., Caron, P., and Deschamps, N. (2014). Mentor: positive DNS reputation to skim-off benign domains in botnet C&C blacklists. ICT Systems Security and Privacy Protection, Springer.","DOI":"10.1007\/978-3-642-55415-5_1"},{"key":"ref_14","unstructured":"Da Luz, P.M. (2014). Botnet Detection Using Passive DNS, Radboud University."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Sangani, N.K., and Zarger, H. (2017). Machine Learning in Application Security. Advances in Security in Computing and Communications, IntechOpen.","DOI":"10.5772\/intechopen.68796"},{"key":"ref_16","unstructured":"Smola, A., and Vishwanathan, S.V.N. (2008). Introduction to Machine Learning, Cambridge University Press."},{"key":"ref_17","unstructured":"(2017, November 10). Conficker. Available online: http:\/\/www.cert.at\/static\/conficker\/all_domains.txt."},{"key":"ref_18","unstructured":"(2017, November 10). DGA Dataset. Available online: https:\/\/github.com\/nickwallen\/botnet-dga-classifier\/tree\/master\/data."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/10\/5\/43\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T15:04:53Z","timestamp":1760195093000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/10\/5\/43"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,5,18]]},"references-count":18,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2018,5]]}},"alternative-id":["fi10050043"],"URL":"https:\/\/doi.org\/10.3390\/fi10050043","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,5,18]]}}}