DeBiM: Detecting Bot-infected Machines by DNS Traffic Analysis
Main Article Content
Abstract
The Botnet is one of the major threats in Internet which attackers use it to make cybercrimes such as DoS attacks, stealing sensitive data, or spam spreading. The Botnet constantly evolves itself thus making it more difficult to detect. Command-and-Control (C&C) servers are basic machines which contain bot script and are placed in Internet and waiting to be connected by bot-infected machine via domain name system (DNS) query. Infected machines typically make a likely random but systematic DNS query to connect to C&C server. This Domain Generation Algorithms (DGAs) technique makes a difficulty for monitoring system to detect the C&C server. In this paper, we present a methodology for detecting bot-infected machine using DNS traffic log. Our technique can differentiate legal domains from DGAs domain from DNS log by applying the combination of whitelist domain and Natural Language Processing (NLP) technique.
Article Details
References
A. K. Sood and S. Zeadally, "A Taxonomy of Domain-Generation Algorithms," IEEE Security & Privacy, vol. 14, no. 4, pp. 46-53, 2016.
Network Security Research Lab at 360. (8 November 2020). Netlab DGA Project. [Online] Available: https://data.netlab.360.com/
H. Choi, H. Lee, H. Lee, and H. Kim, "Botnet Detection by Monitoring Group Activities in DNS Traffic," in 7th IEEE International Conference on Computer and Information Technology (CIT 2007), 16-19 Oct. 2007, pp. 715-720.
K. Alieyan, M. Anbar, A. Almomani, R. Abdullah, and M. Alauthman, "Botnets Detecting Attack Based on DNS Features," in International Arab Conference on Information Technology , 28-30 Nov. 2018, pp. 1-4.
S. Yadav, A. K. K. Reddy, A. L. N. Reddy, and S. Ranjan, "Detecting algorithmically generated malicious domain names," in Proceedings of the 10th ACM SIGCOMM conference on Internet measurement, Melbourne, Australia, 2010: Association for Computing Machinery.
T. Wang, X. Hu, J. Jang, S. Ji, M. Stoecklin, and T. Taylor, "BotMeter: Charting DGA-Botnet Landscapes in Large Networks," in IEEE 36th International Conference on Distributed Computing Systems (ICDCS), 27-30 June 2016, pp. 334-343.
M. Grill, I. Nikolaev, V. Valeros, and M. Rehak, "Detecting DGA malware using NetFlow," in IFIP/IEEE International Symposium on Integrated Network Management, 11-15 May 2015, pp. 1304-1309.
H. Choi, H. Lee, and H. Kim, "BotGAD: detecting botnets by capturing group activities in network traffic," in Proceedings of the 4th International ICST Conference on COMmunication System softWAre and middlewaRE, Dublin, Ireland, 2009: Association for Computing Machinery.
T.-S. Wang, H.-T. Lin, W.-T. Cheng, and C.-Y. Chen, "DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis," Computers & Security, vol. 64, pp. 1-15, 1 Jan. 2017.
L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis," in Ndss, 2011, pp. 1-17.
L. Bilge, S. Sen, D. Balzarotti, E. Kirda, and C. Kruegel, "Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains," ACM Trans. Inf. Syst. Secur., vol. 16, no. 4, 2014.
X. D. Hoang and Q. C. Nguyen, "Botnet Detection Based On Machine Learning Techniques Using DNS Query Data," Future Internet, vol. 10, no. 5, p. 43, 2018.
J. Mao, J. Zhang, Z. Tang, and Z. Gu, "DNS anti-attack machine learning model for DGA domain name detection," Physical Communication, vol. 40, 1 Jun. 2020.
B. Rahbarinia, R. Perdisci, and M. Antonakakis, "Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks," in 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 22-25 June 2015, pp. 403-414.
B. Rahbarinia, R. Perdisci, and M. Antonakakis, "Efficient and Accurate Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks," ACM Trans. Priv. Secur., vol. 19, no. 2, p. Article 4, 2016.
Alexa. Alexa's Top Sites [Online] Available: https://s3.amazonaws.com/alexa-static/top-1m.csv.zip
M. Kuhn and K. Johnson, Applied Predictive Modeling, New York: Springer, 2013.