Botnet Detection by Monitoring Group Activities in DNS Traffic Speaker: Jun-Yi Zheng 2009/11/23
Reference H. Choi, H. Lee, H. Lee, and H. Kim. Botnet detection by monitoring group activities in dns traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology (CIT’07), Washington, DC, October 2007.
Outline INTRODUCTION FEATURES of BOTNET DNS DNS-BASED BOTNET DETECTION MECHANISM EVALUATION CONCLUSION
Introduction Most of bots use DNS in rallying process
Rally Problem Static IP address or DDNS?
C&C Server Migration Botnets were migrate their C&C server frequently There observed most of them (65%) are moved only up for 1 day
Features of Botnet DNS At the rallying procedure At the malicious behaviors of a botnet At C&C server link failures At C&C server migration At C&C server IP address changes
Differences Source IPs accessed to domain name Activity and Appearance Patterns DNS Type Botnet DNS Fixed size Group (Botnet members) Group activity Intermittently appeared (Specific situation) Usually DDNS Legitimate Anonymous (Legitimate users) Non-group activity Randomly and continuously appered (Usually)
Botnet DNS Query Detection Algorithm Insert-DNS-Query
Botnet DNS Query Detection Algorithm Delete-DNS-Query If the size of IP list do not exceed the size threshold or the domain name is legitimate which already exist in a whitelist Detect-BotDNS-Query Similarity A C B
Migrating Botnet Detection Algorithm Insert-DNS-Query Delete-DNS-Query Detect-BotDNS-Query compare the IP lists of different domain name which have similar size of IP list
Evaluation the system is executed on a campus network with botnet 50 machines are used in the botnet (Agobot) captured the traffic for 10 hours parameter A time unit is 1 hour A size threshold for the detection algorithm is 5(size of IP List) similarity threshold is 0.8
Botnet DNS Query Detection During 1 hour Over 80% was 1 92.5% 5
Botnet DNS Query Detection (a),(c),(d),(e) were identified as P2P cites or a cite of enormous size of file transferring
Migrating Botnet Detection the ”similar size” are settled within 10% of the size of IP list
Conclusions significant features of botnet DNS queries a simple mechanism to detect a botnet by using a DNS queries The two different algorithm for botnet detection