scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Botnet Detection by Monitoring Group Activities in DNS Traffic

16 Oct 2007-pp 715-720
TL;DR: This paper proposes a botnet detection mechanism by monitoring DNS traffic to detect botnets, which form a group activity in DNS queries simultaneously sent by distributed bots, which is more robust than the previous approaches.
Abstract: Recent malicious attempts are intended to get financial benefits through a large pool of compromised hosts, which are called software robots or simply "bots." A group of bots, referred to as a botnet, is remotely controllable by a server and can be used for sending spam mails, stealing personal information, and launching DDoS attacks. Growing popularity of botnets compels to find proper countermeasures but existing defense mechanisms hardly catch up with the speed of botnet technologies. In this paper, we propose a botnet detection mechanism by monitoring DNS traffic to detect botnets, which form a group activity in DNS queries simultaneously sent by distributed bots. A few works have been proposed based on particular DNS information generated by a botnet, but they are easily evaded by changing bot programs. Our anomaly-based botnet detection mechanism is more robust than the previous approaches so that the variants of bots can be detectable by looking at their group activities in DNS traffic. From the experiments on a campus network, it is shown that the proposed mechanism can detect botnets effectively while bots are connecting to their server or migrating to another server.
Citations
More filters
Proceedings Article
Leyla Bilge1
01 Jan 2011
TL;DR: This paper introduces EXPOSURE, a system that employs large-scale, passive DNS analysis techniques to detect domains that are involved in malicious activity, and uses 15 features that it extracts from the DNS traffic that allow it to characterize different properties of DNS names and the ways that they are queried.
Abstract: The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way mapping between domain names and their numerical identifiers. Given its fundamental role, it is not surprising that a wide variety of malicious activities involve the domain name service in one way or another. For example, bots resolve DNS names to locate their command and control servers, and spam mails contain URLs that link to domains that resolve to scam servers. Thus, it seems beneficial to monitor the use of the DNS system for signs that indicate that a certain name is used as part of a malicious operation. In this paper, we introduce EXPOSURE, a system that employs large-scale, passive DNS analysis techniques to detect domains that are involved in malicious activity. We use 15 features that we extract from the DNS traffic that allow us to characterize different properties of DNS names and the ways that they are queried. Our experiments with a large, real-world data set consisting of 100 billion DNS requests, and a real-life deployment for two weeks in an ISP show that our approach is scalable and that we are able to automatically identify unknown malicious domains that are misused in a variety of malicious activity (such as for botnet command and control, spamming, and phishing).

618 citations


Cites background from "Botnet Detection by Monitoring Grou..."

  • ...In [16], the authors propose an anomaly-based botnet detection mechanisms by monitoring group activities in the DNS traffic of a local network....

    [...]

Journal ArticleDOI
TL;DR: A comprehensive review that broadly discusses the botnet problem, briefly summarizes the previously published studies and supplements these with a wide ranging discussion of recent works and solution proposals spanning the entire botnet research field is presented.

368 citations

Proceedings ArticleDOI
18 Jun 2009
TL;DR: A survey of botnet and botnet detection techniques is presented, which clarifies botnet phenomenon and discusses botnets detection techniques, and summarizes bot network detection techniques in each class and provides a brief comparison.
Abstract: Among the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical targets, malware dissemination, phishing, and click fraud. The defining characteristic of botnets is the use of command and control channels through which they can be updated and directed. Recently, botnet detection has been an interesting research topic related to cyber-threat and cyber-crime prevention. This paper is a survey of botnet and botnet detection. The survey clarifies botnet phenomenon and discusses botnet detection techniques. This survey classifies botnet detection techniques into four classes: signature-based, anomaly-based, DNS-based, and mining-base. It summarizes botnet detection techniques in each class and provides a brief comparison of botnet detection techniques.

356 citations


Cites background or methods from "Botnet Detection by Monitoring Grou..."

  • ...This process is called server migration and it is very useful for botmasters to keep their botnet alive [2, 8, 14, 15]....

    [...]

  • ...According to our comparison, the most recent botnet detection techniques [33, 34] based on data mining as well as DNSbased botnet detection approach in [15] can detect real-world botnets regardless of botnet protocol and structure with a very low false positive rate....

    [...]

  • ...detection techniques [15, 33, 34] that can detect botnet regardless of botnet protocol and structure....

    [...]

  • ...Consequently, bots will migrate to the new C&C server location and will stay alive [14, 15, 17]....

    [...]

  • ...[15] proposed an anomaly-based botnet detection mechanism by monitoring group activities in DNS traffic, which form a group activity in DNS queries simultaneously sent by distributed bots....

    [...]

Journal ArticleDOI
TL;DR: An ensemble intrusion detection technique is proposed to mitigate malicious events, in particular botnet attacks against DNS, HTTP, and MQTT protocols utilized in IoT networks, and shows that the proposed features have the potential characteristics of normal and malicious activity.
Abstract: Internet of Things (IoT) plays an increasingly significant role in our daily activities, connecting physical objects around us into digital services. In other words, IoT is the driving force behind home automation, smart cities, modern health systems, and advanced manufacturing. This also increases the likelihood of cyber threats against IoT devices and services. Attackers may attempt to exploit vulnerabilities in application protocols, including Domain Name System (DNS), Hyper Text Transfer Protocol (HTTP) and Message Queue Telemetry Transport (MQTT) that interact directly with backend database systems and client–server applications to store data of IoT services. Successful exploitation of one or more of these protocols can result in data leakage and security breaches. In this paper, an ensemble intrusion detection technique is proposed to mitigate malicious events, in particular botnet attacks against DNS, HTTP, and MQTT protocols utilized in IoT networks. New statistical flow features are generated from the protocols based on an analysis of their potential properties. Then, an AdaBoost ensemble learning method is developed using three machine learning techniques, namely decision tree, Naive Bayes (NB), and artificial neural network, to evaluate the effect of these features and detect malicious events effectively. The UNSW-NB15 and NIMS botnet datasets with simulated IoT sensors’ data are used to extract the proposed features and evaluate the ensemble technique. The experimental results show that the proposed features have the potential characteristics of normal and malicious activity using the correntropy and correlation coefficient measures. Moreover, the proposed ensemble technique provides a higher detection rate and a lower false positive rate compared with each classification technique included in the framework and three other state-of-the-art techniques.

334 citations


Cites methods from "Botnet Detection by Monitoring Grou..."

  • ...[21] suggested a bot detection technique via the analysis of DNS flows based on generating features of DNS queries....

    [...]

Journal ArticleDOI
TL;DR: The Exposure system, a system designed to detect malicious domains in real time, by applying 15 unique features grouped in four categories, is presented and the results and lessons learned from 17 months of its operation are described.
Abstract: A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most promising techniques to detect and blacklist domains involved in malicious activities (e.g., phishing, spam, botnets command-and-control, etc.). EXPOSURE is a system we designed to detect such domains in real time, by applying 15 unique features grouped in four categories.We conducted a controlled experiment with a large, real-world dataset consisting of billions of DNS requests. The extremely positive results obtained in the tests convinced us to implement our techniques and deploy it as a free, online service. In this article, we present the Exposure system and describe the results and lessons learned from 17 months of its operation. Over this amount of time, the service detected over 100K malicious domains. The statistics about the time of usage, number of queries, and target IP addresses of each domain are also published on a daily basis on the service Web page.

287 citations

References
More filters
Proceedings ArticleDOI
25 Oct 2006
TL;DR: This paper attempts to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure, which shows that botnets represent a major contributor to unwanted Internet traffic and provides deep insights that may facilitate further research to curtail this phenomenon.
Abstract: The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic - 27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnet-related spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.

661 citations


"Botnet Detection by Monitoring Grou..." refers background in this paper

  • ...[2] constructed a multifaceted infrastructure to capture and concurrently track multiple botnets in the wild, and achieved a comprehensive analysis of measurements reflecting several important structural and behavioral aspects of botnets....

    [...]

  • ...Recent studies such as [2] on botnet measurements and their detection also have the same weakness for the variants of bot programs....

    [...]

Proceedings Article
07 Jul 2005
TL;DR: This paper outlines the origins and structure of bots and botnets and uses data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today and describes a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.
Abstract: Global Internet threats are undergoing a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. Behind these new attacks is a large pool of compromised hosts sitting in homes, schools, businesses, and governments around the world. These systems are infected with a bot that communicates with a bot controller and other bots to form what is commonly referred to as a zombie army or botnet. Botnets are a very real and quickly evolving problem that is still not well understood or studied. In this paper we outline the origins and structure of bots and botnets and use data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today. We then study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and show a more comprehensive approach is required. We conclude by describing a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.

588 citations


"Botnet Detection by Monitoring Grou..." refers background in this paper

  • ...[4] outlined the origins and structure of bots and botnets, data from the operator community and study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and show a more comprehensive approach is required....

    [...]

01 Apr 1997
TL;DR: The Domain Name System was originally designed to support queries of a statically configured database, but the frequency of changes was expected to be fairly low, and all updates were made as external edits to a zone's Master File.
Abstract: The Domain Name System was originally designed to support queries of a statically configured database. While the data was expected to change, the frequency of those changes was expected to be fairly low, and all updates were made as external edits to a zone's Master File.

507 citations


"Botnet Detection by Monitoring Grou..." refers methods in this paper

  • ...Thus, a botmaster wants to arrange several C&C servers which can be listed in the bot binary for the stability of the botnet and uses a dynamic DNS (DDNS) [15] which is a resolution service that automatically perceives the change of the IP address of a server and substitutes the DNS record by frequent updates and changes, for keeping the botnets portable....

    [...]

  • ...Third, the botnet uses DDNS for C&C server usually, but legitimate cites do not commonly use DDNS....

    [...]

Proceedings Article
01 Jan 2006
TL;DR: A diurnal propagation model is created that uses diurnal shaping functions to capture regional variations in online vulnerable populations and lets one compare propagation rates for different botnets, and prioritize response.
Abstract: Time zones play an important and unexplored role in malware epidemics. To understand how time and location affect malware spread dynamics, we studied botnets, or large coordinated collections of victim machines (zombies) controlled by attackers. Over a six month period we observed dozens of botnets representing millions of victims. We noted diurnal properties in botnet activity, which we suspect occurs because victims turn their computers off at night. Through binary analysis, we also confirmed that some botnets demonstrated a bias in infecting regional populations. Clearly, computers that are offline are not infectious, and any regional bias in infections will affect the overall growth of the botnet. We therefore created a diurnal propagation model. The model uses diurnal shaping functions to capture regional variations in online vulnerable populations. The diurnal model also lets one compare propagation rates for different botnets, and prioritize response. Because of variations in release times and diurnal shaping functions particular to an infection, botnets released later in time may actually surpass other botnets that have an advanced start. Since response times for malware outbreaks is now measured in hours, being able to predict short-term propagation dynamics lets us allocate resources more intelligently. We used empirical data from botnets to evaluate the analytical model.

399 citations


"Botnet Detection by Monitoring Grou..." refers background or methods in this paper

  • ...It is observed that botnets were migrate their C&C server frequently [6], either by being instructed to move to a new IRC channel/server or to download a replacement software which pointed them to a different C&C server....

    [...]

  • ...[6] identified key metrics for measuring the utility of a botnet, and describe various topological structures botnet may use to coordinate attacks....

    [...]

Book ChapterDOI
01 Jan 2007
TL;DR: A significant change in motivation for malicious activity has taken place over the past several years: from vandalism and recognition in the hacker community, to attacks and intrusions for financial gain, thereby escalating the network security arms race.
Abstract: The continued growth and diversification of the Internet has been accompanied by an increasing prevalence of attacks and intrusions [40]. It can be argued, however, that a significant change in motivation for malicious activity has taken place over the past several years: from vandalism and recognition in the hacker community, to attacks and intrusions for financial gain. This shift has been marked by a growing sophistication in the tools and methods used to conduct attacks, thereby escalating the network security arms race.

364 citations


"Botnet Detection by Monitoring Grou..." refers background in this paper

  • ...presented a perspective based on an in-depth analysis of bot software source code and reveals the complexity of botnet software, discusses implications for defense strategies based on the analysis [5]....

    [...]

Trending Questions (1)
How to unban someone on CSGO local server?

From the experiments on a campus network, it is shown that the proposed mechanism can detect botnets effectively while bots are connecting to their server or migrating to another server.