Botnet Detection Based on Computing Negative Reputation Score by Use of a Clustering Method and DNS Traffic
Subject Areas : electrical and computer engineeringR. Sharifnyay Dizboni 1 , A. Manafi Murkani 2
1 - Tarbiat Modares University
2 - Tarbiat Modares University
Keywords: Botnet detection computing negative reputation IP-flux domain-flux DNS clustering,
Abstract :
Today, botnets are known as one of the most important threats against Internet infrastructure. A botnet is a network of compromised hosts (bots) remotely controlled by a so-called botmaster through one or more command and control (C&C) servers. Since DNS is one of the most important services on Internet, botmasters use it to resistance their botnet. By use of DNS service, botmasters implement two techniques: IP-flux and domain-flux. These techniques help an attacker to dynamically change C&C server addresses and prevent it from becoming blacklisted. In this paper, we propose a reputation system used a clustering method and DNS traffic for online fluxing botnets detection .we first cluster DNS queries with similar characteristics at the end of each time period. We then identify hosts that generate suspicious domain names and add them to a so-called suspicious group activity matrix. We finally calculate the negative reputation score of each host in the matrix and detect hosts with high negative reputation scores as bot-infected. The experimental results show that it can successfully detect fluxing botnets with a high detection rate and a low false alarm rate.
[1] S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M. Salles, "Botnets: a survey," Computer Networks: the International J. of Computer and Telecommunications Networking, vol. 57, no. 2, pp. 378-403, Feb. 2013.
[2] T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling, "Measuring and detecting fast-flux service networks," in Proc. 15th Network and Distributed System Security Symp., NDSS'08, 12 pp., San Diego, California, USA, Feb. 2008.
[3] S. Yadav, A. K. Krishna Reddy, A. L. Reddy, and S. Ranjan, "Detecting algorithmically generated malicious domain names," in Proc. of the 10th ACM SIGCOMM Conf. on Internet Measurement, ACM, pp. 48-61, New York, NY, USA, 1-3 Nov. 2010.
[4] S. Yadav and A. L. Narasimha Reddy, "Winning with DNS failures: strategies for faster botnet detection," in Proc. of the 7th International ICST Conf. on Security and Privacy in Communication Networks, SecureComm'11, vol. 96, pp. 446-459, London, UK, 2011.
[5] C. Kruegel, L. Bilge, E. Kirda, and M. Balduzzi, "Exposure: finding malicious domains using passive DNS analysis," in Proc. of 18th Network and Distributed System Security Symp., NDSS’11, pp. 214-231, San Diego, California, USA, 6-9 Feb. 2011.
[6] M. Antonakakis, et al., "From throw-away traffic to bots: detecting the rise of DGA-based malware," in Proc. of 21th USENIX Security Symp., pp. 24-40, Bellevue, WA, USA, Aug. 2012.
[7] H. Choi and H. Lee, "Identifying botnets by capturing group activities in DNS traffic," Computer Networks: the International J. of Computer and Telecommunications Networking, vol. 56, no. 1, pp. 20-33, Jan. 2012.
[8] N. Davuth and S. R. Kim, "Classification of malicious domain names using support vector machine and bi-gram method," International J. of Security and Its Applications, IJSIA, vol. 7, no. 1, pp. 51-58, Jan. 2013.
[9] S. Jordi and C. Sierra, "REGRET: reputation in gregarious societies," in Proc. of the 5th ACM International Conf. on Autonomous Agents, pp. 194-195, Montreal, Canada, 28 May- 1 Jun. 2001.S
[10] Alexa Top Global Sites, http://www.alexa.com/topsites
[11] W. Lu, G. Rammidi, and A. Ghorbani, "Clustering botnet communication traffic based on n-gram feature selection," Computer Communications, vol. 34, no. 3, pp. 502-514, Mar. 2011.
[12] J. A. Pardo, L. Pardo, and M. C. Pardo, "The jensen-shannon divergence," J. of the Franklin Institute, vol. 334, no. 2, pp. 307-318, Mar. 1997.
[13] J. L. Myers and A. D. Well, Research Design and Statistical Analysis, New York, NY: Lawrence Erlbaum Associates, 2003.
[14] Q. Cheng, X. Chen, C. Xu, J. Shi, and P. Liu, "A bigram based real time DNS tunnel detection approach," in Proc.of Int. Conf. on Information Technology and Quantitative Management, vol. 17, pp. 852-860, China, May 2013.
[15] L. Wang, Y. Zhang, and J. Feng, "On the euclidean distance of images," IEEE Trans. on Pattern Analysis and Machine Intelligence, vol. 27, no. 8, pp. 1334-1339, Jun. 2005.
[16] P. N. Tan, M. Steinbach, and V. Kumar, Introduction to Data Mining, Boston, MA: Addison-Wesley, 2005.
[17] Open Malware, Community Malicious Code Research and Analysis, http://www.offensivecomputing.net
[18] GeoIP API, MaxMind, Open source API and Database for Geological Information, http://dev.maxmind.com/geoip/geoip2/geolite2