Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic

1. Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic Speaker:Chiang Hong-Ren

2. Outline • Introduction • Anomaly detection techniques • DDNS-Based Bontet detection • Methodology • Experimental Results • Discussion • Conclusion

3. Introduction • The first approach consists in looking for domain names whose query rates are abnormally high or temporally concentrated. • The second approach consists in looking for abnormally recurring DDNS replies indicating that the query is for an inexistent name (NXDOMAIN). • This paper evaluates experimentally the effectiveness of these approaches for detecting botnets in enterprise and access provider networks.

4. Anomaly detection techniques • Dagon et al. use Chebyshev’s inequality and a simplified version of the Mahalanobis distance to quantify how anomalous the number of queries for each domain name is during a day or hour in that day,respectively. • Considering that botnets often use Third Level Domains (3LDs) instead of subdirectories Dagon et al.aggregate lookups for each Second Level Domain (SLD) with those of the respective 3LDs.

5. DDNS-Based Bontet detection • In their method, a “Canonical DNS Request Rate” (CDRR) aggregates the query rate of a SLD with the query rates of the SLD’s children 3LDs, according to the formula: • when the CDRR of a name is anomalous according to Chebyshev’s inequality that name has an abnormally high query rate and is likely to belong to a botnet C&C server. • They suggest that names whose feature vector differs from that of a normal name by more than a threshold are likely to belong to a botnet C&C server.

6. Methodology(1/3) • A. Data Collection • We used the tcpdump network sniffer to collect this data (11 GB) and store it in the pcap format. • We collected all DNS traffic at the University of Pittsburgh (Pitt)’s Computer Science (CS) department for a period of 192 hours (9 days) starting on 2/13/2007.

7. Methodology(2/3) B. Data Selection AA=Authoritative Answer RR=resource record NXDOMAIN= name error ANS = answer RR, AUTH=Authority RR TTL=Time to Live NS=Name Server SOA=Start of Authority

8. Methodology(3/3) C. Detection of abnormally high rates we verified whether the SLD is anomalous according to Chebyshev’s inequality with k = 4.47. We investigated whether anomalous SLDs are indeed suspicious. D. Detection of abnormally temporally concentrated rates The top SLDs with distances exceeding a threshold were considered anomalous. We investigated whether anomalous SLDs are indeed suspicious.

9. Experimental Results(1/8) • summarizes our results for detection based on abnormally high rates.

10. Experimental Results(2/8) SLDs In CS_NS with anomalous high rates and independently reported as suspicious.

11. Experimental Results(3/8)

12. Experimental Results(4/8)

13. Experimental Results(5/8)

14. Experimental Results(6/8)

15. Experimental Results(7/8)

16. Experimental Results(8/8)

17. Discussion • distinguishing DDNS queries from other DNS queries is difficult in enterprise and access provider networks. • Many legitimate domains, such as google.com, yahoo.com, and weather.com use low TTL values. • some legitimate and popular domain names, such as mozilla.com, are also hosted by DDNS providers. • Smaller botnets can be expected to generate fewer queries for each C&C server,making the latter’s detection more difficult.

18. Conclusion • the first approach generated many false positives (legitimate names classified as C&C servers). • the second approach was effective. Most of the names it detected were independently reported as suspicious by others. • The two different algorithm for botnet detection are proposed and both can detect the specific activity of botnet nicely. • Increasingly, popular legitimate names such as gmail.com and mozilla.com are using low TTL values or DDNS hosting, blurring boundaries and confounding classifications.