170 likes | 521 Views
Botnet Detection by Monitoring Group Activities in DNS Traffic. Speaker: Jun-Yi Zheng 2009/11/23. Reference.
E N D
Botnet Detection by Monitoring Group Activities in DNS Traffic Speaker: Jun-Yi Zheng 2009/11/23
Reference • H. Choi, H. Lee, H. Lee, and H. Kim. Botnet detection bymonitoring group activities in dns traffic. In Proceedings ofthe 7th IEEE International Conference on Computer and InformationTechnology (CIT’07), Washington, DC, October2007.
Outline • INTRODUCTION • FEATURES of BOTNET DNS • DNS-BASED BOTNET DETECTION MECHANISM • EVALUATION • CONCLUSION
Introduction • Most of bots use DNS in rallying process
Rally Problem • Static IP address or DDNS?
C&C Server Migration • Botnets were migrate their C&C server frequently • There observed most of them (65%) are moved only up for 1 day
Features of Botnet DNS • At the rallying procedure • At the malicious behaviors of a botnet • At C&C server link failures • At C&C server migration • At C&C server IP address changes
Botnet DNS Query Detection Algorithm • Insert-DNS-Query
A C B Botnet DNS Query Detection Algorithm • Delete-DNS-Query • If the size of IP list do not exceed the size threshold or the domain name is legitimate which already exist in a whitelist • Detect-BotDNS-Query • Similarity
Migrating Botnet Detection Algorithm • Insert-DNS-Query • Delete-DNS-Query • Detect-BotDNS-Query • compare the IP lists of different domain name which have similar size of IP list
Evaluation • the system is executed on a campus network with botnet • 50 machines are used in the botnet (Agobot) • captured the traffic for 10 hours • parameter • A time unit is 1 hour • A size threshold for the detection algorithm is 5(size of IP List) • similarity threshold is 0.8
Botnet DNS Query Detection • During 1 hour Over 80% was 1 92.5% 5
(a),(c),(d),(e) were identified as P2P cites or a cite of enormous size of file transferring Botnet DNS Query Detection
Migrating Botnet Detection • the ”similar size” are settled within 10% of the size of IP list
Conclusions • significant features of botnet DNS queries • a simple mechanism to detect a botnet by using a DNS queries • The two different algorithm for botnet detection