MORTON: Detection of Malicious Routines in Large-Scale DNS Traffic

Yael Daihes, Hen Tzaban, Asaf Nadler, Asaf Shabtai

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


We present MORTON, a method that identifies compromised devices in enterprise networks based on the existence of routine DNS communication between devices and disreputable host names. With its compact representation of the input data and use of efficient signal processing and a neural network for classification, MORTON is designed to be accurate, robust, and scalable. We evaluate MORTON using a large dataset of corporate DNS logs and compare it with two recently proposed beaconing detection methods aimed at detecting malware communication. The results demonstrate that while MORTON ’s accuracy in a synthetic experiment is comparable to that of the other methods, it outperforms those methods in terms of its ability to detect sophisticated bot communication techniques, such as multistage channels. Additionally, MORTON was the most efficient method, running at least 13 times faster than the other methods on large-scale datasets, thus reducing the time to detection. In a real-world evaluation, which includes previously unreported threats, MORTON and the two compared methods were deployed to monitor the (unlabeled) DNS traffic of two global enterprises for a week-long period; this evaluation demonstrates the effectiveness of MORTON in real-world scenarios where it achieved the highest F1-score.

Original languageEnglish
Title of host publicationComputer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings
EditorsElisa Bertino, Haya Shulman, Michael Waidner
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages21
ISBN (Print)9783030884178
StatePublished - 1 Jan 2021
Event26th European Symposium on Research in Computer Security, ESORICS 2021 - Virtual, Online
Duration: 4 Oct 20218 Oct 2021

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12972 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference26th European Symposium on Research in Computer Security, ESORICS 2021
CityVirtual, Online


  • Botnet
  • DNS
  • Neural networks
  • PSD

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science (all)


Dive into the research topics of 'MORTON: Detection of Malicious Routines in Large-Scale DNS Traffic'. Together they form a unique fingerprint.

Cite this