Rule-Based Approach For Detecting Botnet Based On Domain Name System

Simple item page
dc.contributor.authorAhmed Alieyan, Kamal Ibrahim
dc.date.accessioned2019-03-01T02:01:40Z
dc.date.available2019-03-01T02:01:40Z
dc.date.issued2018-04
dc.description.abstractBotnets are a serious problem in today’s Internet, and they result in economic damage for organizations and individuals. Botnets consist of thousands of infected hosts that receive instructions from command and control (C&C) servers operated by an individual. Traditionally, Internet Relay Chat (IRC) servers are used as C&C servers and communicate with the botnet through IRC channels. As a result, network administrators often block IRC traffic on their networks. Recent trends in botnet development have seen the use of alternative communication channels, such as domain name server (DNS), between the C&C servers and infected hosts (bots). The use of alternative communication channels has allowed botnets to bypass common network filters. Furthermore, these channels cannot be blocked as simply as IRC traffic because they are essential for normal network activity. Recent botnets such as Conficker, Zeus, and Citadel have used DNS fast flux to avoid detection and to reduce the ability of researchers to find and shut down the C&C servers. Therefore, this thesis proposes a rule-based approach for detecting botnet based on DNS (RADBDNS), which can enhance the accuracy of detecting botnets based on DNS traffic. RADBDNS uses a rule based on DNS query and response behaviors, and it consists of the following three stages: (1) data pre-processing to filter DNS traffic from the network traffic in the datasets, (2) DNS feature selection to select the most significant features that contribute to the detection of the botnet based on DNS, and (3) DNS-based botnet detection, which aims to detect abnormal behavior of DNS queries and responses by applying the proposed rules on DNS queries and responses. The host that exhibits abnormality in DNS queries or DNS responses will be identified as a bot. The proposed approach is evaluated using two benchmark datasets in two scenarios. The first scenario applies the proposed approach on the ISOT dataset, which contains botnet traffic along with legitimate traffic. The second scenario applies the proposed approach on the NIMS dataset, which contains legitimate traffic and malicious traffic separately. The result shows that the proposed approach can detect the botnet-based DNS with 99.66% accuracy and a false positive rate of 0.23%. The effectiveness of the proposed approach is evaluated through a comparison with well-known DNS-based approach. Results show that the proposed approach outperforms other approach.en_US
dc.identifier.urihttp://hdl.handle.net/123456789/7796
dc.language.isoenen_US
dc.publisherUniversiti Sains Malaysiaen_US
dc.subjectRule-based approach for detecting botneten_US
dc.subjectbased on domain name systemen_US
dc.titleRule-Based Approach For Detecting Botnet Based On Domain Name Systemen_US
dc.typeThesisen_US
Files
License bundle
Now showing 1 - 1 of 1
Thumbnail Image
Name:
license.txt
Size:
1.71 KB
Format:
Item-specific license agreed upon to submission
Description:
Download
Collections
Pusat IPv6 Termaju Negara - Tesis