skip to main content
10.1145/1529282.1529734acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

Bayesian bot detection based on DNS traffic similarity

Published: 08 March 2009 Publication History

Abstract

Bots often are detected by their communication with a command and control (C&C) infrastructure. To evade detection, botmasters are increasingly obfuscating C&C communications, e.g., by using fastflux or peer-to-peer protocols. However, commands tend to elicit similar actions in bots of a same botnet. We propose and evaluate a Bayesian approach for detecting bots based on the similarity of their DNS traffic to that of known bots. Experimental results and sensitivity analysis suggest that the proposed method is effective and robust.

References

[1]
K. Ishibashi, T. Toyono, K. Toyama, M. Ishino, H. Ohshima, I. Mizukoshi, "Detecting MassMailing Worm Infected Hosts by Mining DNS Traffic Data," ACM Symposium proceedings on Communications architectures and protocols (SIGCOMM '05), pp 159--164, August 2005.
[2]
J. Stewart. "Truman - The Reusable Unknown Malware Analysis Net." {Online} http://www.secureworks.com/research/tools/truma.html
[3]
Pang-Ning Tan, Michael Steinbach, Vipin Kumar, "Introduction to Data Mining" (1st ed.)
[4]
McAfee © SiteAdvisor, "Report for cpaclicks.com," {Online} http://www.siteadvisor.com/sites/cpaclicks.com
[5]
The Honeynet Project, "Know your Enemy: Tracking Botnets -- Bot-Commands", {Online} http://honeynet.org/papers/bots/botnet-commands.html
[6]
Kaspersky Lab's VirusList.com, "Backdoor.SdBot.gen" http://viruslist.com/en/viruses/encyclopedia?virusid=24976
[7]
Kaspersky Lab's VirusList.com, "Net-Worm.Win32.Bobic.k", {Online} http://viruslist.com/en/viruses/encyclopedia?virusid=90085
[8]
Shawn Collins' Affiliate Marketing Blog, "Florida Attorney General Investigates Affiliate Marketers," {Online} http://blog.affiliatetip.com/archives/florida-attorney-general-investigates-affiliate-marketers/
[9]
F. Weimer. "Passive DNS Replication," in Proc. 17th Annual FIRST Conf., July 2005. {Online} http://www.first.org/conference/2005/papers/florian-weimer-paper-1.pdf
[10]
Kaspersky Lab's VirusList.com, "Email-Worm.Win32.NetSky.ae," {Online} http://viruslist.com/en/viruses/encyclopedia?virusid=50431
[11]
MWCollect. "Malware Dedicated Whitehats." {Online} http://www.mwcollect.org/
[12]
VirusTotal. "Free Online Virus and Malware Scan." {Online} http://www.virustotal.com/
[13]
Gary Robinson. "A statistical approach to the spam problem". In Linux Journal 107, March 2003, {Online} http://www.linuxjournal.com/article.php?sid=6467
[14]
Gary Robinson, "Spam Detection", {Online} http://radio.weblogs.com/0101454/stories/2002/09/16/spamDetection.html
[15]
Greg Louis, "Bogofilter Calculations: Comparing Geometric Mean with Fisher's Method for Combining Probabilities," {Online} http://www.bgl.nu/bogofilter/fisher.html
[16]
N. Ianelli and A. Hackworth. Botnets as a Vehicle for Online Crime. CERT Coordination Center, 2005.
[17]
Evan Cooke and Farnam Jahanian. The zombie roundup: Understanding, detecting, and disrupting botnets. In Steps to Reducing Unwanted Traffic on the Internet Workshop, 2005.
[18]
Shadowserver Foundation. {Online} http://shadowserver.org/wiki/pmwiki.php?n=Shadowserver.Shadowserver
[19]
Honeynet Project. "Know Your Enemy: Fast-Flux Service Networks." {Online} http://www.honeynet.org/papers/ff/fast-flux.pdf
[20]
Paul Graham, "A Plan for Spam," {Online} http://www.paulgraham.com/spam.html.
[21]
Jonathan Zdziarski, "Ending Spam: Bayesian Content Filtering and the Art of Statistical Language Classification". No Starch Press, 2005.
[22]
Paul Albitzand and Cricket Liu, "DNS and BIND". O'Reilly and Associates, 2001.
[23]
Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim, "Botnet Detection by Monitoring Group Activities in DNS Traffic," in 7th IEEE International Conference on Computer and Information Technology (CIT), 2007.
[24]
G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee: "BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In Proc. of USENIX Security Symposium, Boston, MA, August 2007.
[25]
M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. "A multi-faceted approach to understanding the botnet phenomenon". In Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference, Brazil, October 2006.
[26]
G. Gu, J. Zhang and W. Lee. "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic," in Proceedings of the 15th Annual Network and Distributed System Security Symposium, ISOC, February 2008.
[27]
David Heckerman. "A tutorial on learning with Bayesian networks." In Michael Jordan, editor, Learning in Graphical Models, pages 301--354. Kluwer Academic, 1998.
[28]
M. K. Reiter and T.-F. Yen. "Traffic aggregation for malware detection." In Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'08), 2008.
[29]
Inoue, D. Yoshioka, K. Eto, M. Hoshizawa, Y. Nakao, K. "Malware Behavior Analysis in Isolated Miniature Network for Revealing Malware's Network Activity". IEEE International Conference on Communications (ICC) 2008.
[30]
Villamarín-Salomón, R., Brustoloni, J. C. "Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic". 5th IEEE Consumer Communications and Networking Conference (CCNC), 2008.

Cited By

View all
  • (2022)PUMD: a PU learning-based malicious domain detection frameworkCybersecurity10.1186/s42400-022-00124-x5:1Online publication date: 1-Oct-2022
  • (2021)Anomaly Detection on User Terminals Based on Outbound Traffic Filtering by DNS Query Monitoring and Application Program IdentificationProceedings of the 2021 International Conference on Human-Machine Interaction10.1145/3478472.3478481(47-56)Online publication date: 7-May-2021
  • (2021)Rule‐Based Approach for Botnet Behavior AnalysisIntelligent Data Analytics for Terror Threat Prediction10.1002/9781119711629.ch8(161-179)Online publication date: 15-Jan-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing
March 2009
2347 pages
ISBN:9781605581668
DOI:10.1145/1529282
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 March 2009

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Bayesian method
  2. DNS
  3. bot
  4. botnet
  5. intrusion detection

Qualifiers

  • Research-article

Conference

SAC09
Sponsor:
SAC09: The 2009 ACM Symposium on Applied Computing
March 8, 2009 - March 12, 2008
Hawaii, Honolulu

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25
The 40th ACM/SIGAPP Symposium on Applied Computing
March 31 - April 4, 2025
Catania , Italy

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)6
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)PUMD: a PU learning-based malicious domain detection frameworkCybersecurity10.1186/s42400-022-00124-x5:1Online publication date: 1-Oct-2022
  • (2021)Anomaly Detection on User Terminals Based on Outbound Traffic Filtering by DNS Query Monitoring and Application Program IdentificationProceedings of the 2021 International Conference on Human-Machine Interaction10.1145/3478472.3478481(47-56)Online publication date: 7-May-2021
  • (2021)Rule‐Based Approach for Botnet Behavior AnalysisIntelligent Data Analytics for Terror Threat Prediction10.1002/9781119711629.ch8(161-179)Online publication date: 15-Jan-2021
  • (2020)A Survey of Fast Flux Botnet Detection With Fast Flux Cloud ComputingInternational Journal of Cloud Applications and Computing10.4018/IJCAC.202007010210:3(17-53)Online publication date: 1-Jul-2020
  • (2020)CLAP: Classification of Android PUAs by Similarity of DNS QueriesIEICE Transactions on Information and Systems10.1587/transinf.2019INP0003E103.D:2(265-275)Online publication date: 1-Feb-2020
  • (2019)Exploring Non-Human Traffic in Online Digital Advertisements: Analysis and PredictionComputational Collective Intelligence10.1007/978-3-030-28374-2_57(663-675)Online publication date: 9-Aug-2019
  • (2019)Non-Genuine ActorsA Multidisciplinary Framework of Information Propagation Online10.1007/978-3-030-16413-3_6(57-63)Online publication date: 27-Apr-2019
  • (2018)A Survey on Malicious Domains Detection through DNS Data AnalysisACM Computing Surveys10.1145/319132951:4(1-36)Online publication date: 6-Jul-2018
  • (2018)A Client Based Anomaly Traffic Detection and Blocking Mechanism by Monitoring DNS Name Resolution with User Alerting Feature2018 International Conference on Cyberworlds (CW)10.1109/CW.2018.00070(351-356)Online publication date: Oct-2018
  • (2018)A Malware Beacon of Botnet by Local Periodic Communication Behavior2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2018.10313(653-657)Online publication date: Jul-2018
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media