Identifying DGA-Based Botnets Using Network Anomaly Detection

Nowadays, the attacks are no longer performed from a single computer but from thousands, sometimes millions of systems that are located all over the globe and are grouped in a network called botnet. The most widely used technique to control a botnet is to try to connect to many domain names, generated according to an algorithm called domain generating algorithm (DGA). In this paper we present different algorithms that can determine if a computer is part of a botnet by looking at its network traffic. Since in some cases the network traffic is impossible to be shared due to privacy reasons we also analyze the case where just limited information can be provided (such as a netflow log). The algorithms presented here were obtained after reverse engineering and analyzing the DGA of 18 different botnets including some that were taken down (such as Cryptolocker) and ones that are still alive and thriving (such as PushDo, Tinba, Nivdort, DirtyLocker, Dobot, Patriot, Ramdo, Virut, Ramnit and many more).

[1]  Han Zhang,et al.  BotDigger: Detecting DGA Bots in a Single Network , 2016, TMA.

[2]  T. Ferryman,et al.  Data outlier detection using the Chebyshev theorem , 2005, 2005 IEEE Aerospace Conference.

[3]  Guofei Gu,et al.  EFFORT: Efficient and effective bot malware detection , 2012, 2012 Proceedings IEEE INFOCOM.

[4]  Christopher Krügel,et al.  BotFinder: finding bots in network traffic without deep packet inspection , 2012, CoNEXT '12.

[5]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[6]  Walter L. Smith Probability and Statistics , 1959, Nature.

[7]  R. Villamarin-Salomon,et al.  Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[8]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[9]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[10]  Sureswaran Ramadass,et al.  A Survey of Botnet and Botnet Detection , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[11]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.