ConnSpoiler: Disrupting C&C Communication of IoT-Based Botnet Through Fast Detection of Anomalous Domain Queries

The development of Internet of Things (IoT) dramatically facilitates the integration of computing systems with the physical world. However, as IoT devices are more easy to compromise than desktop computers, cybercriminals have founded IoT-based botnets to launch Distributed Denial of Service (DDoS) attacks with unprecedented traffic volume. To mitigate the damages associated with these attacks, the detection of IoT-based botnet has to preempt the command and control (C&C) communication to prevent the delivery of the attack codes. Motivated by the extensively implementation of domain generation algorithm in botnets, in this article, we propose ConnSpoiler, a lightweight system that detects IoT-based botnets by identifying the stream of algorithmically generated domains (AGDs) in a fast way. ConnSpoiler only needs negligible system resources to take effect and thus can execute well on the resource-restraint IoT devices. By outfitting a powerful statistical algorithm, i.e., threshold random walk, ConnSpoiler has a high probability (about 94%) of detecting infection before the compromised devices connect C&C servers, which can help to prevent the succeeding attacks. Moreover, ConnSpoiler only requires the benign domains to take effect and therefore does not need extra effort to label malicious samples for training phase. We evaluate ConnSpoiler based on real-world DNS traffics collected from two different large ISP networks and show that it accurately identifies devices that are compromised by unknown botnets.

[1]  Han Zhang,et al.  BotDigger: Detecting DGA Bots in a Single Network , 2016, TMA.

[2]  John Aycock,et al.  Kwyjibo: automatic domain name generation , 2008, Softw. Pract. Exp..

[3]  Mohsen Guizani,et al.  Evaluating Reputation Management Schemes of Internet of Vehicles Based on Evolutionary Game Theory , 2019, IEEE Transactions on Vehicular Technology.

[4]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[5]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  Reza Sharifnya,et al.  DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic , 2015, Digit. Investig..

[7]  Lei Chen,et al.  Enhancing Privacy and Availability for Data Clustering in Intelligent Electrical Service of IoT , 2019, IEEE Internet of Things Journal.

[8]  Hyrum S. Anderson,et al.  Predicting Domain Generation Algorithms with Long Short-Term Memory Networks , 2016, ArXiv.

[9]  Hui-Tang Lin,et al.  DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis , 2017, Comput. Secur..

[10]  Guang Cheng,et al.  Detecting domain-flux botnet based on DNS traffic features in managed network , 2016, Secur. Commun. Networks.

[11]  Mohsen Guizani,et al.  A data-driven method for future Internet route decision modeling , 2019, Future Gener. Comput. Syst..

[12]  John McHugh,et al.  Crossing the threshold: Detecting network malfeasance via sequential hypothesis testing , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[13]  Heng Yin,et al.  An effective defense against email spam laundering , 2006, CCS '06.

[14]  Martine De Cock,et al.  Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic , 2018, RAID.

[15]  Zhixian Yang,et al.  A Feature Extraction Method for P2P Botnet Detection Using Graphic Symmetry Concept , 2019, Symmetry.

[16]  Shen Su,et al.  Block-DEF: A secure digital evidence framework using blockchain , 2019, Inf. Sci..

[17]  Jinqiao Shi,et al.  Toward a Comprehensive Insight Into the Eclipse Attacks of Tor Hidden Services , 2019, IEEE Internet of Things Journal.

[18]  Miranda Mowbray,et al.  Finding Domain-Generation Algorithms by Looking at Length Distribution , 2014, 2014 IEEE International Symposium on Software Reliability Engineering Workshops.

[19]  Davide Balzarotti,et al.  A Lustrum of Malware Network Communication: Evolution and Insights , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[20]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[21]  Johannes Bader,et al.  A Comprehensive Measurement Study of Domain Generating Malware , 2016, USENIX Security Symposium.

[22]  Malcolm I. Heywood,et al.  On botnet detection with genetic programming under streaming data, label budgets and class imbalance , 2017, Swarm Evol. Comput..

[23]  Victor C. M. Leung,et al.  Trust-Based Communication for the Industrial Internet of Things , 2018, IEEE Communications Magazine.

[24]  Song Guo,et al.  Secure Multimedia Big Data in Trust-Assisted Sensor-Cloud for Smart City , 2017, IEEE Communications Magazine.

[25]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[26]  Wei An,et al.  LagProber: Detecting DGA-Based Malware by Using Query Time Lag of Non-existent Domains , 2018, ICICS.

[27]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[28]  Jingxuan Sun,et al.  Stealthy Domain Generation Algorithms , 2017, IEEE Transactions on Information Forensics and Security.

[29]  Shen Su,et al.  Real-Time Lateral Movement Detection Based on Evidence Reasoning Network for Edge Computing Environment , 2019, IEEE Transactions on Industrial Informatics.

[30]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[31]  Aziz Mohaisen,et al.  Kindred domains: detecting and clustering botnet domains using DNS traffic , 2014, WWW.

[32]  Ulrike Meyer,et al.  FANCI : Feature-based Automated NXDomain Classification and Intelligence , 2018, USENIX Security Symposium.