A novel reputation system to detect DGA-based botnets

A botnet is a network of compromised hosts (bots) remotely controlled by a so-called bot herder through one or more command and control (C&C) servers. New generation botnets, such as Conficker and Murofet, tend to use a form of domain fluxing for command and control. Each domain fluxing bot generates a list of domain names using a domain name generation algorithm (DGA) and queries each of them until one of them is resolved to a C&C server. Since the bot herder registers only a few of these domain names, the domain fluxing bots generate many failed DNS queries. Even though some efforts have been focused on the detection of DGA-based botnets, but none of them consider the history of suspicious activities. This makes the detection system has a potentially high false alarm rate. In this paper, we propose a novel reputation system to detect DGA-based botnets. Our main goal is to automatically assign a high negative reputation score to each host that is involved in suspicious bot activities. To achieve this goal, we first choose DNS queries with similar characteristics at the end of each time window. We then identify hosts that algorithmically generated a large set of suspicious domain names and add them to a so-called suspicious group activity matrix. We also identify hosts with high numbers of failed DNS queries and add them to a so called suspicious failure matrix. We finally calculate the negative reputation score of each host in these two matrices and detect hosts with high negative reputation scores as bot-infected. We evaluate our reputation system using DNS queries collected from the campus network. The experimental results show that it can successfully detect DGA-based botnets with a high detection rate and a low false alarm rate while providing real-time monitoring in large-scale networks.

[1]  Heejo Lee,et al.  Identifying botnets by capturing group activities in DNS traffic , 2012, Comput. Networks.

[2]  Daniel T. Larose,et al.  Discovering Knowledge in Data: An Introduction to Data Mining , 2005 .

[3]  Sandeep Yadav,et al.  Winning with DNS Failures: Strategies for Faster Botnet Detection , 2011, SecureComm.

[4]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[5]  Jiming Zhou,et al.  Embedded Passive Technology Application: Design and Fabrication of an Automotive Engine Controller , 2005, 2005 Conference on High Density Microsystem Design and Packaging and Component Failure Analysis.

[6]  Satanjeev Banerjee,et al.  The Design, Implementation, and Use of the Ngram Statistics Package , 2003, CICLing.

[7]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[8]  Jordi Sabater-Mir,et al.  REGRET: reputation in gregarious societies , 2001, AGENTS '01.

[9]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[10]  Mahdi Abadi,et al.  BotOnus: an online unsupervised method for Botnet detection , 2012, ISC Int. J. Inf. Secur..

[11]  Jerome L. Myers,et al.  Research Design and Statistical Analysis , 1991 .

[12]  Elmar Gerhards-Padilla,et al.  Automatic Extraction of Domain Name Generation Algorithms from Current Malware , 2012 .

[13]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[14]  Etienne Stalmans,et al.  A framework for DNS based detection and mitigation of malware infections on a network , 2011, 2011 Information Security for South Africa.

[15]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[16]  Sonia Heemstra de Groot,et al.  Reputation-Based Systems within Computer Networks , 2010, 2010 Fifth International Conference on Internet and Web Applications and Services.

[17]  John C. Mitchell,et al.  Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods , 2008, WOOT.