Detecting DGA malware using NetFlow

Botnet detection systems struggle with performance and privacy issues when analyzing data from large-scale networks. Deep packet inspection, reverse engineering, clustering and other time consuming approaches are unfeasible for large-scale networks. Therefore, many researchers focus on fast and simple botnet detection methods that use as little information as possible to avoid privacy violations. We present a novel technique for detecting malware using Domain Generation Algorithms (DGA), that is able to evaluate data from large scale networks without reverse engineering a binary or performing Non-Existent Domain (NXDomain) inspection. We propose to use a statistical approach and model the ratio of DNS requests and visited IPs for every host in the local network and label the deviations from this model as DGA-performing malware. We expect the malware to try to resolve more domains during a small time interval without a corresponding amount of newly visited IPs. For this we need only the NetFlow/IPFIX statistics collected from the network of interest. These can be generated by almost any modern router. We show that by using this approach we are able to identify DGA-based malware with zero to very few false positives. Because of the simplicity of our approach we can inspect data from very large networks with minimal computational costs.

[1]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, ACSAC.

[2]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[3]  Ramesh Govindan,et al.  ASTUTE: detecting a different class of traffic anomalies , 2010, SIGCOMM '10.

[4]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[6]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[7]  Minaxi Gupta,et al.  Behind Phishing: An Examination of Phisher Modi Operandi , 2008, LEET.

[8]  Albert G. Greenberg,et al.  Network anomography , 2005, IMC '05.

[9]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[10]  Andreas Haeberlen,et al.  Differential privacy for collaborative security , 2010, EUROSEC '10.

[11]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[12]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[13]  Kangbin Yim,et al.  DGA-Based Botnet Detection Using DNS Traffic , 2013, J. Internet Serv. Inf. Secur..

[14]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[15]  Robin Berthier,et al.  Nfsight: netflow-based network awareness tool , 2010 .

[16]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[17]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[18]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[19]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[20]  HyunCheol Jeong,et al.  Botnet Detection and Response Architecture for Offering Secure Internet Services , 2008, 2008 International Conference on Security Technology.