BotXrayer : Exposing Botnets by Visualizing DNS Traffic

Botnets pose a major problem to Internet security. They can cause various online crimes such as DDoS attacks, identity thefts and spam e-mails. While there have been many attempts to detect botnets, most of these studies have difficulties in detecting botnets due to their evasive techniques to resemble normal traffic. In this paper, we propose a visualization method, BotXrayer, to detect botnets. It displays DNS traffic on the plane of parallel coordinates using four carefully selected parameters that represent a botnet hierarchy and attack patterns efficiently. BotXrayer provides a view of graphs that helps humans recognize botnet patterns intuitively. Observing botnets frequently generate DNS traffic that forms unique patterns, we develop six botnet attack signatures. We adopt four logic operations (XOR, AND, OR, SUB) to find hidden botnet identities and to display distinct botnet graphs from noisy lines on the coordinates. Experiments with real traces in /16 networks show that the proposed mechanism can detect various botnets effectively. Furthermore, botnet activities, such as launching DRDoS, poisoning DNS cache entries and sending spams, were captured.

[1]  Duane Wessels,et al.  Passive Monitoring of DNS Anomalies , 2007, DIMVA.

[2]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[3]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[4]  Heejo Lee,et al.  BotGAD: detecting botnets by capturing group activities in network traffic , 2009, COMSWARE '09.

[5]  Nikolaos Chatzis Motivation for Behaviour-Based DNS Security: A Taxonomy of DNS-Related Internet Threats , 2007, The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007).

[6]  Alfred Inselberg,et al.  The plane with parallel coordinates , 1985, The Visual Computer.

[7]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[8]  Daniel A. Keim,et al.  Visual exploration of large data sets , 2001, Commun. ACM.

[9]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[10]  Bruce Gooch,et al.  Visualizing DNS traffic , 2006, VizSEC '06.

[11]  G. Conti,et al.  Real-time and forensic network data analysis using animated and coordinated visualization , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[12]  John T. Stasko,et al.  IDS rainStorm: visualizing IDS alarms , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..