Botnet Group Domain Name System Behaviour Detection Using Improved Traffic Similarity Approach

Loading...
Thumbnail Image
Date
2016-12
Authors
Abdullah, Nur Nadiyah Suppiah
Journal Title
Journal ISSN
Volume Title
Publisher
Universiti Sains Malaysia
Abstract
Botnet, a group of compromised hosts running malicious software known as bot, is considered one of the most dangerous threats to the Internet today. Botnets are the main source of most of the internet threats such as the denial of service (DOS) attacks, distributed denial of service (DDoS) attacks, identity theft, spamming, phishing and others. However, Botnets are different from other malware as they have a Command and Control (C&C) channel, which makes the detection of botnets a challenging problem. Despite the efforts in combating botnets, they continue to grow in size and sophistication of their techniques. Botmasters (i.e. Botnet owners) tend to hide their C&C servers by abusing the merit of the Domain Name System (DNS). Nevertheless, the malicious software is pre-programmed for certain tasks such as attacking, stealing sensitive information and others. One of these tasks is looking up the C&C server, which is carried out through a DNS lookup query. The use of the DNS system in botnets infrastructures enables botmasters to freely move their C&C locations safely. In this thesis, a scalable approach for detecting bot hosts from their DNS traffic is proposed. The proposed approach leverages a signal processing technique, power spectral density (PSD) analysis, to discover the significant frequencies (i.e. periods) resulting from the periodic DNS queries of botnets. The PSD analysis eases the discovery of botnets regardless of their evasive techniques and the normal user’s traffic. Moreover, the proposed approach deals with the DNS traffic per host by only utilizing the timing information of query generation regardless of the number of queries and domains. Finally, the proposed approach was able to detect the group of bot hosts that demonstrates similar pattern in DNS queries. The proposed approach in this thesis was evaluated with different datasets like ISOT (2010) (Sherif Saad et al., 2011), MCFP CTU-13 datasets (García et al., 2014), and a botnet implementation generated by a real malware (win32/Heur BDS/Hupigon.Gen) in controlled environment. As a result, the proposed approach performed with a detection accuracy of 100% without the known domain names regardless of the topology and/or physical structure of the botnet. The proposed approach was also compared to other similar methods from existing techniques in terms of false positive/negatives performance. The comparison yields that the proposed approach was able to achieve 0% false positives/negatives performance detecting the tested botnet group.
Description
Keywords
Botnets are the main source , of most of the internet threats
Citation