Fast-flux Botnet Detection Based on Traffic Response and Search Engines Creditworthiness

Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from a CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in a embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of an IDS.

[1]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[2]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[3]  Johannes M. Bauer,et al.  Economics of Fighting Botnets: Lessons from a Decade of Mitigation , 2015, IEEE Security & Privacy.

[4]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[5]  Thomas P. Brisco DNS Support for Load Balancing , 1995, RFC.

[6]  Radu State,et al.  DNSSM: A large scale passive DNS security monitoring framework , 2012, 2012 IEEE Network Operations and Management Symposium.

[7]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[8]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[9]  Zhen Li,et al.  Portfolio optimization of computer and mobile botnets , 2013, International Journal of Information Security.

[10]  Heejo Lee,et al.  PsyBoG: A scalable botnet detection method for large-scale DNS traffic , 2016, Comput. Networks.

[11]  Chun-Ying Huang,et al.  Fast-Flux Bot Detection in Real Time , 2010, RAID.

[12]  Roberto Perdisci,et al.  Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis , 2012, IEEE Transactions on Dependable and Secure Computing.

[13]  Ramesh K. Sitaraman,et al.  The Akamai network: a platform for high-performance internet applications , 2010, OPSR.

[14]  Kang G. Shin,et al.  RB-Seeker: Auto-detection of Redirection Botnets , 2009, NDSS.

[15]  Wenke Lee,et al.  Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces , 2009, 2009 Annual Computer Security Applications Conference.

[16]  Anees Shaikh,et al.  Protecting content distribution networks from denial of service attacks , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[17]  Oksana Pomorova,et al.  A Technique for the Botnet Detection Based on DNS-Traffic Analysis , 2015, CN.

[18]  Paul V. Mockapetris,et al.  Domain names - concepts and facilities , 1987, RFC.

[19]  Kamal Alieyan,et al.  A survey of botnet detection based on DNS , 2017, Neural Computing and Applications.

[20]  Heejo Lee,et al.  Tracking multiple C&C botnets by analyzing DNS traffic , 2010, 2010 6th IEEE Workshop on Secure Network Protocols.

[21]  Ian H. Witten,et al.  Data Mining: Practical Machine Learning Tools and Techniques, 3/E , 2014 .

[22]  Lorenzo Martignoni,et al.  FluXOR: Detecting and Monitoring Fast-Flux Service Networks , 2008, DIMVA.

[23]  Hao Jiang,et al.  Passive estimation of TCP round-trip times , 2002, CCRV.

[24]  Wenke Lee,et al.  Beheading hydras: performing effective botnet takedowns , 2013, CCS.

[25]  Kang G. Shin,et al.  Measurement and analysis of global IP-usage patterns of fast-flux botnets , 2011, 2011 Proceedings IEEE INFOCOM.

[26]  Markus Hofmann,et al.  Content Networking - Architecture, Protocols, and Practice , 2005, The Morgan Kaufmann series in networking.

[27]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[28]  Kresimir Fertalj,et al.  Denial of service attacks, defences and research challenges , 2017, Cluster Computing.

[29]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[30]  Georgios Kambourakis,et al.  New facets of mobile botnet: architecture and evaluation , 2015, International Journal of Information Security.

[31]  Dustin Burke,et al.  Behavioral analysis of botnets for threat intelligence , 2011, Information Systems and e-Business Management.

[32]  Daniel D. Gajski,et al.  Embedded System Design: Modeling, Synthesis and Verification , 2013 .

[33]  Ahmad Jakalan,et al.  Detecting DGA-Based Botnet with DNS Traffic Analysis in Monitored Network , 2016 .