DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic

Abstract Each botnet needs an addressing mechanism to locate its command and control (C&C) server(s). This mechanism allows a botmaster to send commands to and receive stolen data from compromised hosts. To maximize the availability of the C&C server(s), botmasters have recently started to use domain-flux techniques. However, domain-flux botnets have some important characteristics that we can use to detect them. They usually generate a large number of DNS queries resolved to the same IP address and they often generate many failures in DNS traffic. The domain names in the DNS queries are randomly or algorithmically generated and their alphanumeric distribution is significantly different from legitimate ones. In this paper, we present DFBotKiller, a negative reputation system that considers the history of both suspicious group activities and suspicious failures in DNS traffic to detect domain-flux botnets. Our main goal is to automatically assign a high negative reputation score to each host that is involved in these suspicious domain activities. To identify randomly or algorithmically generated domain names, we use three measures, namely the Jensen-Shannon divergence, Spearman's rank correlation coefficient, and Levenshtein distance. We demonstrate the effectiveness of DFBotKiller to detect hosts infected by domain-flux botnets using multiple DNS queries collected from our campus network and a testbed network consisting of some bot-infected hosts. The experimental results show that DFBotKiller can make a good trade-off between the detection and false alarm rates.

[1]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[2]  Vipin Kumar,et al.  Introduction to Data Mining , 2022, Data Mining and Machine Learning Applications.

[3]  Ying Liu,et al.  Pattern Discovery in DNS Query Traffic , 2013, ITQM.

[4]  Jerome L. Myers,et al.  Research Design and Statistical Analysis , 1991 .

[5]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[6]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[7]  Frank Piessens,et al.  CPM: Masking Code Pointers to Prevent Code Injection Attacks , 2013, TSEC.

[8]  Reza Sharifnya,et al.  A novel reputation system to detect DGA-based botnets , 2013, ICCKE 2013.

[9]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[10]  Jordi Sabater-Mir,et al.  REGRET: reputation in gregarious societies , 2001, AGENTS '01.

[11]  Sonia Heemstra de Groot,et al.  Reputation-Based Systems within Computer Networks , 2010, 2010 Fifth International Conference on Internet and Web Applications and Services.

[12]  Sandeep Yadav,et al.  Winning with DNS Failures: Strategies for Faster Botnet Detection , 2011, SecureComm.

[13]  Heejo Lee,et al.  Identifying botnets by capturing group activities in DNS traffic , 2012, Comput. Networks.

[14]  Brigitte Bigi,et al.  Using Kullback-Leibler Distance for Text Categorization , 2003, ECIR.

[15]  Satanjeev Banerjee,et al.  The Design, Implementation, and Use of the Ngram Statistics Package , 2003, CICLing.

[16]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[17]  Etienne Stalmans,et al.  A framework for DNS based detection and mitigation of malware infections on a network , 2011, 2011 Information Security for South Africa.

[18]  John C. Mitchell,et al.  Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods , 2008, WOOT.

[19]  Mahdi Abadi,et al.  BotCatch: Botnet detection based on coordinated group activities of compromised hosts , 2014, 7'th International Symposium on Telecommunications (IST'2014).

[20]  Chun-Ying Huang,et al.  Effective bot host detection based on network failure models , 2013, Comput. Networks.

[21]  Gonzalo Navarro,et al.  A guided tour to approximate string matching , 2001, CSUR.