Botnet Group Domain Name System Behaviour Detection Using Improved Traffic Similarity Approach
Loading...
Date
2016-12
Authors
Abdullah, Nur Nadiyah Suppiah
Journal Title
Journal ISSN
Volume Title
Publisher
Universiti Sains Malaysia
Abstract
Botnet, a group of compromised hosts running malicious software known as
bot, is considered one of the most dangerous threats to the Internet today. Botnets are
the main source of most of the internet threats such as the denial of service (DOS)
attacks, distributed denial of service (DDoS) attacks, identity theft, spamming,
phishing and others. However, Botnets are different from other malware as they have
a Command and Control (C&C) channel, which makes the detection of botnets a
challenging problem. Despite the efforts in combating botnets, they continue to grow
in size and sophistication of their techniques. Botmasters (i.e. Botnet owners) tend to
hide their C&C servers by abusing the merit of the Domain Name System (DNS).
Nevertheless, the malicious software is pre-programmed for certain tasks such as
attacking, stealing sensitive information and others. One of these tasks is looking up
the C&C server, which is carried out through a DNS lookup query. The use of the
DNS system in botnets infrastructures enables botmasters to freely move their C&C
locations safely. In this thesis, a scalable approach for detecting bot hosts from their
DNS traffic is proposed. The proposed approach leverages a signal processing
technique, power spectral density (PSD) analysis, to discover the significant
frequencies (i.e. periods) resulting from the periodic DNS queries of botnets. The
PSD analysis eases the discovery of botnets regardless of their evasive techniques
and the normal user’s traffic. Moreover, the proposed approach deals with the DNS
traffic per host by only utilizing the timing information of query generation
regardless of the number of queries and domains. Finally, the proposed approach was
able to detect the group of bot hosts that demonstrates similar pattern in DNS queries.
The proposed approach in this thesis was evaluated with different datasets like ISOT
(2010) (Sherif Saad et al., 2011), MCFP CTU-13 datasets (García et al., 2014), and a
botnet implementation generated by a real malware (win32/Heur BDS/Hupigon.Gen)
in controlled environment. As a result, the proposed approach performed with a
detection accuracy of 100% without the known domain names regardless of the
topology and/or physical structure of the botnet. The proposed approach was also
compared to other similar methods from existing techniques in terms of false
positive/negatives performance. The comparison yields that the proposed approach
was able to achieve 0% false positives/negatives performance detecting the tested
botnet group.
Description
Keywords
Botnets are the main source , of most of the internet threats