Thriving on chaos: Proactive detection of command and control domains in internet of things-scale botnets using DRIFT

Funding information National Science Foundation, Grant/Award Number: CNS-1809000; Korea National Research Foundation, Grant/Award Number: 2016K1A1A2912757; Chung-Ang University Research Grant (2018) Abstract In this paper, we introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference-based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered. Our technique serves as a tool of detection where other techniques relying on entropy or domain generating algorithms reversing are impractical.

[1]  Johannes Bader,et al.  A Comprehensive Measurement Study of Domain Generating Malware , 2016, USENIX Security Symposium.

[2]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[3]  Simon Heron Dynamic DNS: Working the botnet: how dynamic DNS is revitalising the zombie army , 2007 .

[4]  Stefano Zanero,et al.  Phoenix: DGA-Based Botnet Tracking and Intelligence , 2014, DIMVA.

[5]  Ying Zhang,et al.  Detecting the DGA-Based Malicious Domain Names , 2013, ISCTCS.

[6]  Aziz Mohaisen,et al.  Kindred domains: detecting and clustering botnet domains using DNS traffic , 2014, WWW.

[7]  Hu Xin,et al.  BotMeter: Charting DGA-Botnet Landscapes in Large Networks , 2016 .

[8]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[9]  Aziz Mohaisen,et al.  An Adversary-Centric Behavior Modeling of DDoS Attacks , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[10]  Aziz Mohaisen,et al.  Unveiling Zeus: automated classification of malware samples , 2013, WWW.

[11]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[12]  Ahmed Serhrouchni,et al.  Privacy-preserving domain-flux botnet detection in a large scale network , 2013, 2013 Fifth International Conference on Communication Systems and Networks (COMSNETS).

[13]  Aziz Mohaisen,et al.  Capturing DDoS Attack Dynamics Behind the Scenes , 2015, DIMVA.

[14]  Davide Balzarotti,et al.  A Lustrum of Malware Network Communication: Evolution and Insights , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[15]  Miranda Mowbray,et al.  Finding Domain-Generation Algorithms by Looking at Length Distribution , 2014, 2014 IEEE International Symposium on Software Reliability Engineering Workshops.

[16]  Sharon Goldberg,et al.  Attacking the Network Time Protocol , 2016, NDSS.

[17]  Mark P. Andrews,et al.  Negative Caching of DNS Queries (DNS NCACHE) , 1998, RFC.

[18]  Aziz Mohaisen,et al.  Delving Into Internet DDoS Attacks by Botnets: Characterization and Analysis , 2018, IEEE/ACM Transactions on Networking.

[19]  Guofei Gu,et al.  A Large-Scale Empirical Study of Conficker , 2012, IEEE Transactions on Information Forensics and Security.

[20]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[21]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[22]  Reza Sharifnya,et al.  DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic , 2015, Digit. Investig..

[23]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[24]  Hui-Tang Lin,et al.  DGA Botnet Detection Utilizing Social Network Analysis , 2016, 2016 International Symposium on Computer, Consumer and Control (IS3C).

[25]  Wenke Lee,et al.  Beheading hydras: performing effective botnet takedowns , 2013, CCS.

[26]  Elmar Gerhards-Padilla,et al.  Automatic Extraction of Domain Name Generation Algorithms from Current Malware , 2012 .

[27]  A. Nur Zincir-Heywood,et al.  Analyzing string format-based classifiers for botnet detection: GP and SVM , 2013, 2013 IEEE Congress on Evolutionary Computation.

[28]  Taejoong Chung,et al.  Tunneling for Transparency: A Large-Scale Analysis of End-to-End Violations in the Internet , 2016, Internet Measurement Conference.

[29]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[30]  Bidyut Baran Chaudhuri,et al.  A new definition of neighborhood of a point in multi-dimensional space , 1996, Pattern Recognit. Lett..

[31]  Han Zhang,et al.  BotDigger: Detecting DGA Bots in a Single Network , 2016, TMA.

[32]  Aziz Mohaisen,et al.  AMAL: High-Fidelity, Behavior-Based Automated Malware Analysis and Classification , 2014, WISA.

[33]  Syed Ali Khayam,et al.  A Taxonomy of Botnet Behavior, Detection, and Defense , 2014, IEEE Communications Surveys & Tutorials.

[34]  Aziz Mohaisen,et al.  Measuring Botnets in the Wild: Some New Trends , 2015, AsiaCCS.

[35]  Guofei Gu,et al.  Conficker and beyond: a large-scale empirical study , 2010, ACSAC '10.

[36]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[37]  Yizheng Chen,et al.  Enabling Network Security Through Active DNS Datasets , 2016, RAID.

[38]  George Karypis,et al.  Centroid-Based Document Classification: Analysis and Experimental Results , 2000, PKDD.

[39]  Martin Rehák,et al.  Detecting DGA malware using NetFlow , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[40]  Heejo Lee,et al.  PsyBoG: A scalable botnet detection method for large-scale DNS traffic , 2016, Comput. Networks.

[41]  Jingxuan Sun,et al.  Stealthy Domain Generation Algorithms , 2017, IEEE Transactions on Information Forensics and Security.

[42]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.