ABSTRACT
In recent years, the botnet phenomenon is one of the most dangerous threat to Internet security, which supports a wide range of criminal activities, including distributed denial of service (DDoS) attacks, click fraud, phishing, malware distribution, spam emails, etc. An increasing number of botnets use Domain Generation Algorithms (DGAs) to avoid detection and exclusion by the traditional methods. By dynamically and frequently generating a large number of random domain names for candidate command and control (C&C) server, botnet can be still survive even when a C&C server domain is identified and taken down. This paper presents a novel method to detect DGA botnets using Collaborative Filtering and Density-Based Clustering. We propose a combination of clustering and classification algorithm that relies on the similarity in characteristic distribution of domain names to remove noise and group similar domains. Collaborative Filtering (CF) technique is applied to find out bots in each botnet, help finding out offline malwares infected-machine. We implemented our prototype system, carried out the analysis of a huge amount of DNS traffic log of Viettel Group and obtain positive results.
- A. Ramachandran and N. Feamster. Understanding the Network-level Bahavior of Spammers. In ACM SIGCOM, 2006. Google ScholarDigital Library
- Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D. Detecting malware domains at the upper DNS hierarchy. In USENIX Security, vol. 11, 2011. Google ScholarDigital Library
- Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C. Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In ACSAC, ACM. 2012. Google ScholarDigital Library
- Guofei Gu, Roberto Perdisci, Junjie Zhang and Wenke Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol and Structure Independent Botnet Detection. SS'08 Proceedings of the 17th conference on Security symposium, pages 139--154. USENIX Association Berkeley, CA, USA 2008. ACM. Google ScholarDigital Library
- Holz T., Gorecki C., Rieck K., Freiling F. C. Measuring and detecting fast-flux service networks. In NDSS. 2008.Google Scholar
- J. Leyden. Conficker zombie botnet drops to 3.5 million. http://www.theregister.co.uk/2009/04/03/conficker_zombie_count/. 2009.Google Scholar
- Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In Proceedings of NDSS, 2011.Google Scholar
- Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou and Saeed Abu-Nimeh, Wenke Lee and David Dagon. From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. USENIX Security Conference '12, 2012. Google ScholarDigital Library
- P. Kleissner. Analysis of Sinowal. http://web17.webbpro.de/index.php?page=analysis-of-sinowal. 2008.Google Scholar
- S. Yadav, A. K. K. Reddy, A. N. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th annual Conference on Internet Measurement, IMC '10, pages 48--61. New York, NY, USA, 2010. ACM.. Google ScholarDigital Library
- S. Yadav, A. K. K. Reddy, A. N. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th annual Conference on Internet Measurement, IMC '10, pages 48--61. New York, NY, USA, 2010. ACM.. Google ScholarDigital Library
- S. Yadav and A. N. Reddy. Winning with dns failures: Strategies for faster botnet detection. In 7th International ICST Conference on Security and Privacy in Communication Networks, 2011.Google Scholar
- Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, Stefano Zanero. Tracking and Characterizing Botnets Using Automatically Generated DomainsGoogle Scholar
- Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G. Your botnet is my botnet: analysis of a botnet takeover. In: CCS. ACM (2009). Google ScholarDigital Library
- Yong-lin Zhou, Qing-shan Li, Qidi Miao and Kangbin Yim. DGA-Based Botnet Detection Using DNS traffic. Journal of Internet Services and Information Security (JISIS), volume 3, number 3/4, pp. 116--123.Google Scholar
- The Spamhaus Project. ZEN. http://www.spamhaus.org/zen/.Google Scholar
- GTBot History. http://golcor.tripod.com/gtbot/gtbot\_history.htmGoogle Scholar
- Collaborative Filtering. http://en.wikipedia.org/wiki/Collaborative\_filtering.Google Scholar
- DBSCAN algorithm. http://en.wikipedia.org/wiki/DBSCANGoogle Scholar
- Hidden Markov Model. http://en.wikipedia.org/wiki/Hidden_Markov_modelGoogle Scholar
- Spectral Clustering Algorithm. http://en.wikipedia.org/wiki/Spectral_clustering.Google Scholar
Recommendations
A survey of botnet detection based on DNS
Botnet is a thorny and a grave problem of today's Internet, resulting in economic damage for organizations and individuals. Botnet is a group of compromised hosts running malicious software program for malicious purposes, known as bots. It is also worth ...
A fuzzy pattern-based filtering algorithm for botnet detection
Botnet has become a popular technique for deploying Internet crimes. Although signature-based bot detection techniques are accurate, they could be useless when bot variants are encountered. Therefore, behavior-based detection techniques become ...
Classification of Botnet Detection Based on Botnet Architechture
CSNT '12: Proceedings of the 2012 International Conference on Communication Systems and Network TechnologiesNowadays, Botnets pose a major threat to the security of online ecosystems and computing assets. A Botnet is a network of computers which are compromised under the influence of Bot (malware) code. This paper clarifies Botnet phenomenon and discusses ...
Comments