Detection of botnet collusion by degree distribution of domains

Malicious botnets threaten the Internet by DDoS-attacks, spam, information theft and other criminal activities. They are using increasingly sophisticated techniques to hide the Command and Control traffic. Many existing detection techniques can be defeated by encryption, tunneling in popular protocols, delays, and flow perturbation. We introduce a new DNS-based detection approach, that detects botnet collusion by anomalies in the degree distribution of visited domains, without any assumption about message content and statistical properties of the traffic. The proposed technique is difficult to evade, without major changes in the bot Command and Control Infrastructure or reduced utility. We evaluate evasion possibilities, derive a theoretical model of the detector performance and test the detector with a combination of captured Internet traffic and simulated botnet-traffic.

[1]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[2]  Nick Feamster,et al.  Detecting Botnet Membership with DNSBL Counterintelligence , 2008, Botnet Detection.

[3]  Heejo Lee,et al.  BotGAD: detecting botnets by capturing group activities in network traffic , 2009, COMSWARE '09.

[4]  Aviram Jenik Cyberwar: Cyberwar in Estonia and the Middle East , 2009 .

[5]  Konstantina Papagiannaki,et al.  Exploiting Temporal Persistence to Detect Covert Botnet Channels , 2009, RAID.

[6]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[7]  Tom Fawcett,et al.  ROC Graphs: Notes and Practical Considerations for Data Mining Researchers , 2003 .

[8]  David Dagon,et al.  Botnet Detection: Countering the Largest Security Threat (Advances in Information Security) , 2007 .

[9]  Johan A. Pouwelse,et al.  Free-Riding, Fairness, and Firewalls in P2P File-Sharing , 2008, 2008 Eighth International Conference on Peer-to-Peer Computing.

[10]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[11]  Duane Wessels,et al.  Passive Monitoring of DNS Anomalies , 2007, DIMVA.

[12]  Wenke Lee,et al.  Botnet Detection: Countering the Largest Security Threat , 2010, Botnet Detection.

[13]  Vrizlynn L. L. Thing,et al.  A Survey of Bots Used for Distributed Denial of Service Attacks , 2007, SEC.

[14]  John McHugh,et al.  Sybil attacks as a mitigation strategy against the Storm botnet , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[15]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[16]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[17]  John C. Mitchell,et al.  Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods , 2008, WOOT.