Detection Of Botnet Based On Abnormal Dns Traffic
Loading...
Date
2009-06
Authors
Hsasan Abdullah, Awsan Abdulrahman
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The immense growth in the network sector has attracted the attackers' community.
The attackers are always developing new techniques to assist them compromise a
large number of computers around the world. Botnet is an example of such technique.
Botnet is a group of Bots running on a compromised network and hosts which are
controlled remotely by the botmaster via a Command and Control (C&C) server.
Botnet is used to perform many malicious activities such as Spam and DDoS attacks.
The Botnet is considered as a major part of Internet due to its fast increasing
mechanism. Recently, Botnets have utilized the DNS and query DNS server just like
any legitimate hosts. In this case, it is difficult to distinguish between the legitimate
DNS traffic and illegitimate DNS traffic. It is important to build a suitable solution
for Botnet detection in the DNS traffic and consequently protect the network from
the malicious Botnets activities. In this research, a simple mechanism is proposed
and is called Botnet Detection Mechanism (BDM). BDM monitors the DNS traffic
and detects the abnormal DNS traffic issued by the Botnet activity based on the
Botnet behaviors particularly the appearance of Botnet as a group in a periodic
manner. The BDM is able to classify the DNS traffic requested by group of hosts
(group behavior) and single hosts (individual behavior), consequently detect the
abnormal domain name issued by the malicious Botnets. Finally, the experimental
results proved that the BDM is able to classify DNS traffic, and efficiently detects
the Botnet activity with average detection rate of 89%. This proves that BDM is
more robust than previous approaches of Botnet detection.
Description
Keywords
Botnet is a group of Bots running , controlled remotely by the botmaster