DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis

Abstract Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In such botnets, the DGA is used to generate a huge list of candidate Command and Control (C&C) server domains, and the bot then attempts to connect to an active C&C server by querying each DNS server in turn. DGA-based botnets are highly elusive and difficult to detect using traditional defensive mechanisms and therefore have a high survivability. Accordingly, this study proposes a DGA-based botnet detection scheme designated as DBod based on an analysis of the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very limited number of the domains are actually associated with an active C&C. The feasibility of the proposed method is evaluated using the DNS data collected from an education network environment over a period of 26 months. The results show that DBod provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks.

[1]  Heejo Lee,et al.  Tracking multiple C&C botnets by analyzing DNS traffic , 2010, 2010 6th IEEE Workshop on Secure Network Protocols.

[2]  Kouichi Sakurai,et al.  Bot Detection Based on Traffic Analysis , 2007 .

[3]  Reza Sharifnya,et al.  A novel reputation system to detect DGA-based botnets , 2013, ICCKE 2013.

[4]  Reza Sharifnya,et al.  DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic , 2015, Digit. Investig..

[5]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[6]  Heejo Lee,et al.  BotGAD: detecting botnets by capturing group activities in network traffic , 2009, COMSWARE '09.

[7]  Wei Jiang,et al.  Botnet: Survey and Case Study , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[8]  Stefano Zanero,et al.  Phoenix: DGA-Based Botnet Tracking and Intelligence , 2014, DIMVA.

[9]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[10]  Hossein Rouhani Zeidanloo,et al.  Botnet Command and Control Mechanisms , 2009, 2009 Second International Conference on Computer and Electrical Engineering.

[11]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[12]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[13]  José Carlos Brustoloni,et al.  Bayesian bot detection based on DNS traffic similarity , 2009, SAC '09.

[14]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[15]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[16]  Christian Biemann,et al.  Chinese Whispers - an Efficient Graph Clustering Algorithm and its Application to Natural Language Processing Problems , 2006 .

[17]  Ali A. Ghorbani,et al.  Botnets Detection Based on IRC-Community , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[18]  Etienne Stalmans,et al.  A framework for DNS based detection and mitigation of malware infections on a network , 2011, 2011 Information Security for South Africa.

[19]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[20]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[21]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[22]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[23]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[24]  Sureswaran Ramadass,et al.  A Survey of Botnet and Botnet Detection , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[25]  Kangbin Yim,et al.  DGA-Based Botnet Detection Using DNS Traffic , 2013, J. Internet Serv. Inf. Secur..

[26]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[27]  Phillip A. Porras Inside risksReflections on Conficker , 2009, CACM.

[28]  Sandeep Yadav,et al.  Winning with DNS Failures: Strategies for Faster Botnet Detection , 2011, SecureComm.

[29]  Miranda Mowbray,et al.  Finding Domain-Generation Algorithms by Looking at Length Distribution , 2014, 2014 IEEE International Symposium on Software Reliability Engineering Workshops.

[30]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.