DNS rule-based schema to botnet detection

ABSTRACT Botnets are considered a serious issue today. They have several negative economic impacts as well. Such impacts are affecting organizations and individuals. Recent botnets–such as Zeus and Citadel’s Conficker–use the Domain Name System (DNS) to avoid detection. These botnets use the DNS server to prevent the network administrator from locating and shutting down the C&C servers. Therefore, this paper proposes a DNS rule-based approach for Botnet Detection (DNS-BD) that can improve the accuracy of DNS traffic-based detection of botnets. This approach is based on DNS query and response behaviours; it aims to detect any abnormal DNS query and response behaviours by applying the proposed DNS query and response rules. The result showed that the proposed approach can detect the botnet with an accuracy of 99.35% and a false-positive rate of 0.25%. A comparison with well-known DNS-based approaches evaluates the effectiveness of the proposed approach. It has been concluded that the approach proposed outperforms other approaches that can be implemented as part of any anti-viruses IDS product.

[1]  Van-Hau Pham,et al.  Honeypot trace forensics: The observation viewpoint matters , 2011, Future Gener. Comput. Syst..

[2]  Farnam Jahanian,et al.  Shades of grey: On the effectiveness of reputation-based “blacklists” , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[3]  Mohammad Alauthman,et al.  A proposed framework for Botnet Spam-email Filtering using , 2018 .

[4]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[5]  Shijie Zhou A Survey on Fast-flux Attacks , 2015, Inf. Secur. J. A Glob. Perspect..

[6]  Thomas Sinkjær,et al.  Cortical excitability changes following grasping exercise augmented with electrical stimulation , 2008, Experimental Brain Research.

[7]  Mohammed Azmi Al-Betar,et al.  Spam E-mail Filtering using ECOS Algorithms , 2015 .

[8]  K. E. Silva How industry can help us fight against botnets: notes on regulating private-sector intervention , 2017 .

[9]  Zhen Xu,et al.  CMDHunter: Finding malicious domains from cyclical communication , 2016, 2016 5th International Conference on Computer Science and Network Technology (ICCSNT).

[10]  Brij B. Gupta,et al.  Classification of various attacks and their defence mechanism in online social networks: a survey , 2019, Enterp. Inf. Syst..

[11]  Rosni Abdullah,et al.  Botnets Detecting Attack Based on DNS Features , 2018, 2018 International Arab Conference on Information Technology (ACIT).

[12]  G. Kirubavathi,et al.  Botnets: A Study and Analysis , 2014 .

[13]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[14]  Mouhammd Alkasassbeh,et al.  An empirical evaluation for the intrusion detection features based on machine learning and feature selection methods , 2017, ArXiv.

[15]  Nor Badrul Anuar,et al.  Botnet detection techniques: review, future trends, and issues , 2014, Journal of Zhejiang University SCIENCE C.

[16]  K. Rameshkumar,et al.  A review on taxonomy of botnet detection , 2014, 2014 International Conference on Advances in Engineering and Technology (ICAET).

[17]  Shivangi Garg,et al.  Classification Based Network Layer Botnet Detection , 2017 .

[18]  C. Ng,et al.  Ice cream scoop test: a novel clinical test to diagnose extensor carpi ulnaris instability , 2013, The Journal of hand surgery, European volume.

[19]  Chun-Ying Huang,et al.  A fuzzy pattern-based filtering algorithm for botnet detection , 2011, Comput. Networks.

[20]  Heejo Lee,et al.  Identifying botnets by capturing group activities in DNS traffic , 2012, Comput. Networks.

[21]  Andrzej Żyluk,et al.  Development of carpal tunnel syndrome after repair of the median nerve in the distal forearm , 2018, The Journal of hand surgery, European volume.

[22]  Maurizio Mongelli,et al.  DNS tunneling detection through statistical fingerprints of protocol messages and machine learning , 2015, Int. J. Commun. Syst..

[23]  Jignesh Vania,et al.  A Review on Botnet and Detection Technique , 2013 .

[24]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[25]  Etienne Stalmans,et al.  A framework for DNS based detection and mitigation of malware infections on a network , 2011, 2011 Information Security for South Africa.

[26]  Maurizio Mongelli,et al.  Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection , 2014, SOCO-CISIS-ICEUTE.

[27]  Farid Meziane,et al.  Fast flux botnet detection framework using adaptive dynamic evolving spiking neural network algorithm , 2018, 2018 9th International Conference on Information and Communication Systems (ICICS).

[28]  Maninder Singh,et al.  Detecting bot-infected machines using DNS fingerprinting , 2019, Digit. Investig..

[29]  Ali A. Ghorbani,et al.  Detecting P2P botnets through network behavior analysis and machine learning , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[30]  Rajdeep Niyogi,et al.  Network forensic frameworks: Survey and research challenges , 2010, Digit. Investig..

[31]  T. Marwick,et al.  Strain rate evaluation of phasic atrial function in hypertension , 2009, Heart.

[32]  Harun Uguz,et al.  A hybrid system based on information gain and principal component analysis for the classification of transcranial Doppler signals , 2012, Comput. Methods Programs Biomed..

[33]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[34]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[35]  Firas AlBalas,et al.  An Online Intrusion Detection System to Cloud Computing Based on Neucube Algorithms , 2018, Int. J. Cloud Appl. Comput..

[36]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[37]  Jetzabel M. Serna,et al.  Benchmarking IP blacklists for financial botnet detection , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[38]  Syed Ali Khayam,et al.  A Taxonomy of Botnet Behavior, Detection, and Defense , 2014, IEEE Communications Surveys & Tutorials.

[39]  Jing Tao,et al.  Accurate DNS query characteristics estimation via active probing , 2015, J. Netw. Comput. Appl..

[40]  S. R. Selamat,et al.  Revealing the Criterion on Botnet Detection Technique , 2013 .

[41]  Hossein Rouhani Zeidanloo,et al.  A taxonomy of Botnet detection techniques , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[42]  Ammar Almomani,et al.  Fast-flux hunter: a system for filtering online fast-flux botnet , 2018, Neural Computing and Applications.

[43]  Heejo Lee,et al.  BotGAD: detecting botnets by capturing group activities in network traffic , 2009, COMSWARE '09.

[44]  Heejo Lee,et al.  PsyBoG: A scalable botnet detection method for large-scale DNS traffic , 2016, Comput. Networks.

[45]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[46]  Sureswaran Ramadass,et al.  Detecting Botnet Activities Based on Abnormal DNS traffic , 2009, ArXiv.

[47]  S. D. Middleton,et al.  The epidemiology of fractures of the hand and the influence of social deprivation , 2011, The Journal of hand surgery, European volume.

[48]  N. S. Raghava,et al.  Classification of Botnet Detection Based on Botnet Architechture , 2012, 2012 International Conference on Communication Systems and Network Technologies.

[49]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[50]  Ali A. Ghorbani,et al.  Clustering botnet communication traffic based on n-gram feature selection , 2011, Comput. Commun..

[51]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[52]  R. Villamarin-Salomon,et al.  Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[53]  Vern Paxson,et al.  Automating analysis of large-scale botnet probing events , 2009, ASIACCS '09.

[54]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[55]  K. K. e Silva How industry can help us fight against botnets: notes on regulating private-sector intervention† , 2017 .

[56]  Aneel Rahim,et al.  Discovering the Botnet Detection Techniques , 2010, FGIT-SecTech/DRBC.

[57]  Balachander Krishnamurthy,et al.  Characterizing large DNS traces using graphs , 2001, IMW '01.

[58]  Zhuoqing Morley Mao,et al.  Characterizing Dark DNS Behavior , 2007, DIMVA.

[59]  Yang Wang,et al.  Visual Detection of Anomalies in DNS Query Log Data , 2014, 2014 IEEE Pacific Visualization Symposium.