ABSTRACT
Botnets play major roles in a vast number of threats to network security, such as DDoS attacks, generation of spam emails, information theft. Detecting Botnets is a difficult task in due to the complexity and performance issues when analyzing the huge amount of data from real large-scale networks. In major Botnet malware, the use of Domain Generation Algorithms allows to decrease possibility to be detected using white list - blacklist scheme and thus DGA Botnets have higher survival. This paper proposes a DGA Botnet detection scheme based on DNS traffic analysis which utilizes semantic measures such as entropy, meaning the level of the domain, frequency of n-gram appearances and Mahalanobis distance for domain classification. The proposed method is an improvement of Phoenix botnet detection mechanism, where in the classification phase, the modified Mahalanobis distance is used instead of the original for classification. The clustering phase is based on modified k-means algorithm for archiving better effectiveness. The effectiveness of the proposed method was measured and compared with Phoenix, Linguistic and SVM Light methods. The experimental results show the accuracy of proposed Botnet detection scheme ranges from 90 to 99,97% depending on Botnet type.
- E. Stalmans. 2011. A Framework for DNS-Based Detection and Mitigation of Malware Infections on a Network. Information Security South Africa Conference.Google ScholarCross Ref
- S. Yadav, A. K. K. Reddy, A. N. Reddy, and S. Ranjan. 2010. Detecting algorithmically generated malicious domain names. Proceedings of the 10th annual Conference on Internet Measurement. IMC '10, pages 48--61. New York, NY, USA. DOI= http://dl.acm.org/citation.cfm?id=1879148. Google ScholarDigital Library
- Nhauo Davuth, Sung-Ryul Kim. 2013. Classification of Malicious Domain Names using Support Vector Machine and Bi-gram Method. International Journal of Security and Its Applications. Vol. 7, No. 1.Google Scholar
- T. Joachims. 1999. SVM light, Making large-Scale SVM Learning Practical. Advances in Kernel Methods - Support Vector Learning. B. Schölkopf and C. Burges and A. Smola (eds.). MIT-Press. Google ScholarDigital Library
- Zhou, Li, Miao, and Yim. DGA-Based Botnet Detection Using DNS Traffic, Journal of Internet Services and Information Security (JISIS). volume: 3, number: 3/4, pages 116--123.Google Scholar
- Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, Stefano Zanero. 2014. Phoenix: DGA-Based Botnet Tracking and Intelligence. Chapter Detection of Intrusions and Malware, and Vulnerability Assessment. Volume 8550 of the series Lecture Notes in Computer Science, pages 192--211, Springer.Google Scholar
- G. Eason, B. Noble, I. N. Sneddon. 1993. On certain integrals of Eggdrop: Open source IRC bot. http://www.eggheads.org.Google Scholar
- C. Associates. GTBot. 1998. DOI= http://www3.ca.com/securityadvisor/pest/pest.aspx? id=453073312.Google Scholar
- Chao Li, Wei Jiang, Xin Zou. 2009. Botnet: Survey and Case Study. Fourth International Conference on Innovative Computing, Information and Control.Google Scholar
- Rajab MA, Zarfoss J, Monrose F, Terzis A. 2006. A multifaceted approach to understanding the botnet phenomenon. Almeida JM, AlmeidaVAF, Barford P, eds. Proc. of the 6th ACM Internet MeasurementConf. (IMC 2006). Rio de Janeriro: ACM Press, pages 41--52. Google ScholarDigital Library
- Abebe Tesfahun, D.Lalitha Bhaskari. 2013. Botnet Detection and Countermeasures-A Survey. International Journal of Emerging Trends & Technology in Computer Science, Volume 2, Issue 4, July - August.Google Scholar
- Sophos. 2002. Troj/Agobot-A. DOI= http://www.sophos.com/virusinfo/analyses/trojagobota.html.Google Scholar
- Sophos. 2002. Troj/SDBot. DOI= http://www.sophos.com/virusinfo/analyses/trojsdbot.html.Google Scholar
- Phatbot Trojan Analysis. DOI= http://www.secureworks.com/research/threats/phatbot.Google Scholar
- M. Suenaga, M. Ciubotariu. 2007. Symantec: Trojan.peacomm. DOI= http://www.symantec.com/securityresponse/writeup.jsp?docid=2007011917-1403-99.Google Scholar
- Ying Zhang, Yongzheng Zhang, Jun Xiao. 2014. Detecting the DGA-Based Malicious Domain Names. ISCTCS 2013, CCIS 426, pages 130--137.Google Scholar
- Arno Wagner, Bernhard Plattner. Entropy based worm and anomaly detection in fast IP networks. 4th IEEE International Workshops on Enabling Technologies (WETICE 2005), pp 172--177. Google ScholarDigital Library
- Manikopolous C, Papavassiliou S. 2002. Network intrusion and fault detection: a statistical anomaly approach. IEEE Communication.Vol 40. Issue 10, Oct 2002.pp 76--82. Google ScholarDigital Library
- LZO compression library. DOI= http://www.oberhumer.com/opensource/lzo/.Google Scholar
Index Terms
- A method for detecting DGA botnet based on semantic and cluster analysis
Recommendations
DGA Botnet Detection Using Supervised Learning Methods
SoICT '17: Proceedings of the 8th International Symposium on Information and Communication TechnologyModern botnets are based on Domain Generation Algorithms (DGAs) to build a resilient communication between bots and Command and Control (C&C) server. The basic aim is to avoid blacklisting and evade the Intrusion Protection Systems (IPS). Given the ...
DGA Botnet detection using Collaborative Filtering and Density-based Clustering
SoICT '15: Proceedings of the 6th International Symposium on Information and Communication TechnologyIn recent years, the botnet phenomenon is one of the most dangerous threat to Internet security, which supports a wide range of criminal activities, including distributed denial of service (DDoS) attacks, click fraud, phishing, malware distribution, ...
Detecting DGA Botnet based on Malware Behavior Analysis
SoICT '22: Proceedings of the 11th International Symposium on Information and Communication TechnologyDGA botnet uses the Domain Generation Algorithm to generate domains that are used to establish the connection between malware bots and malicious actors. It has become a serious threat to internet-connected systems. Detection of DGA botnets is a ...
Comments