Botnet Detection by Monitoring Group Activities in DNS Traffic
Citations
618 citations
Cites background from "Botnet Detection by Monitoring Grou..."
...In [16], the authors propose an anomaly-based botnet detection mechanisms by monitoring group activities in the DNS traffic of a local network....
[...]
[...]
368 citations
356 citations
Cites background or methods from "Botnet Detection by Monitoring Grou..."
...This process is called server migration and it is very useful for botmasters to keep their botnet alive [2, 8, 14, 15]....
[...]
...According to our comparison, the most recent botnet detection techniques [33, 34] based on data mining as well as DNSbased botnet detection approach in [15] can detect real-world botnets regardless of botnet protocol and structure with a very low false positive rate....
[...]
...detection techniques [15, 33, 34] that can detect botnet regardless of botnet protocol and structure....
[...]
...Consequently, bots will migrate to the new C&C server location and will stay alive [14, 15, 17]....
[...]
...[15] proposed an anomaly-based botnet detection mechanism by monitoring group activities in DNS traffic, which form a group activity in DNS queries simultaneously sent by distributed bots....
[...]
334 citations
Cites methods from "Botnet Detection by Monitoring Grou..."
...[21] suggested a bot detection technique via the analysis of DNS flows based on generating features of DNS queries....
[...]
287 citations
References
661 citations
"Botnet Detection by Monitoring Grou..." refers background in this paper
...[2] constructed a multifaceted infrastructure to capture and concurrently track multiple botnets in the wild, and achieved a comprehensive analysis of measurements reflecting several important structural and behavioral aspects of botnets....
[...]
...Recent studies such as [2] on botnet measurements and their detection also have the same weakness for the variants of bot programs....
[...]
588 citations
"Botnet Detection by Monitoring Grou..." refers background in this paper
...[4] outlined the origins and structure of bots and botnets, data from the operator community and study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and show a more comprehensive approach is required....
[...]
507 citations
"Botnet Detection by Monitoring Grou..." refers methods in this paper
...Thus, a botmaster wants to arrange several C&C servers which can be listed in the bot binary for the stability of the botnet and uses a dynamic DNS (DDNS) [15] which is a resolution service that automatically perceives the change of the IP address of a server and substitutes the DNS record by frequent updates and changes, for keeping the botnets portable....
[...]
...Third, the botnet uses DDNS for C&C server usually, but legitimate cites do not commonly use DDNS....
[...]
399 citations
"Botnet Detection by Monitoring Grou..." refers background or methods in this paper
...It is observed that botnets were migrate their C&C server frequently [6], either by being instructed to move to a new IRC channel/server or to download a replacement software which pointed them to a different C&C server....
[...]
...[6] identified key metrics for measuring the utility of a botnet, and describe various topological structures botnet may use to coordinate attacks....
[...]
364 citations
"Botnet Detection by Monitoring Grou..." refers background in this paper
...presented a perspective based on an in-depth analysis of bot software source code and reveals the complexity of botnet software, discusses implications for defense strategies based on the analysis [5]....
[...]