botnet detection by monitoring group activities in dns traffic n.
Skip this Video
Loading SlideShow in 5 Seconds..
Botnet Detection by Monitoring Group Activities in DNS Traffic PowerPoint Presentation
Download Presentation
Botnet Detection by Monitoring Group Activities in DNS Traffic

Loading in 2 Seconds...

play fullscreen
1 / 18

Botnet Detection by Monitoring Group Activities in DNS Traffic - PowerPoint PPT Presentation

  • Uploaded on

Botnet Detection by Monitoring Group Activities in DNS Traffic. Speaker:Chiang Hong-Ren. Outline. Abstract Introduction Related Work Bontet DNS-Based Botnet Detection Mechanism Evaluation Discussion Conclusion. Abstract.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Botnet Detection by Monitoring Group Activities in DNS Traffic

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Botnet Detection by Monitoring Group Activities in DNS Traffic Speaker:Chiang Hong-Ren

    2. Outline • Abstract • Introduction • Related Work • Bontet • DNS-Based Botnet Detection Mechanism • Evaluation • Discussion • Conclusion

    3. Abstract • we propose a botnet detection mechanism by monitoring DNS traffic to detect botnets, which form a group activity in DNS queries simultaneously sent by distributed bots. • From the experiments on a campus network, it is shown that the proposed mechanism can detect botnets effectively while bots are connecting to their server or migrating to another server.

    4. Introduction • We have developed the botnet detection mechanism with the following four steps. • we found several features of botnet DNS traffic that is distinguishable from legitimate DNS traffic. • we defined the key feature of DNS traffic called group activity. • we developed an algorithm that differentiate botnet DNS query by using group activity feature. • we analyzed the algorithm to prove feasibility of our mechanism.

    5. Related Work • Barford et al. presented a perspective based on an in-depth analysis of bot software source code and reveals the complexity of botnet software. • Bots are sending DNS queries in order to access the C&C channel server. Used DNS redirection to monitor botnets. • Dagon also present botnet Detection and response approach with analyzing peculiarity of botnet rallying DNS traffic. • Ramachandran developed techniques and heuristics for detecting DNSBL reconnaissance activity.

    6. BotNet - Growth of Botnet(1/4) • A botnet is a large pool of compromised hosts that are controlled by a botmaster. • Recent botnets use the Internet Relay Chat (IRC) server as their C&C server for controlling the botnet. • However the traffic among bots, the C&C sever and the botmaster can be considered as legitimate traffic because it is hard to distinguish from normal traffic.

    7. BotNet - Rally Problem and IRC Server(2/4) • The key problem of a botmaster is how to rally the infected hosts. • Botmaster want their botnets to be invisible and portable. • they uses DNS for rallying. It is possible to use other method for rallying the bots. • Most of them cannot provide both mobility and invisibility at the same time. • the hard coded IP address is unchangeable, so it cannot provide any mobility.

    8. BotNet - C&C Server Migration(3/4) • If a botnet uses only a single C&C server, the botnet could easily be detected and disarmed. • A botmaster wants to arrange several C&C servers which can be listed in the bot binary for the stability of the botnet and uses a dynamic DNS (DDNS). • root C&C server cannot operate well or link failure occurred, candidate C&C servers can be a feasible substitution for the root C&C server. • previous domain name of botnet C&C server is blocked, botmaster can just moves his botnet to another candidate C&C server.

    9. BotNet - Features of Botnet DNS(4/4) • Infected hosts automatically access the C&C server with its domain name. • At the rallying procedure • At the malicious behaviors of a botnet • At C&C server link failures • At C&C server migration • At C&C server IP address changes

    10. DNS-Based Botnet Detection Mechanism(1/3) • We developed a botnet DNS query detection algorithm by using the different features of botnet DNS and legitimate DNS.

    11. DNS-Based Botnet Detection Mechanism(2/3) • Botnet DNS Query Detection Algorithm (BDQDA) • Insert-DNS-Query • We inserted the domain name and source IP address of queries to A • checking it already existed in A. • check the IP address already exist in the IP list of the domain name. • Delete-DNS-Query • removing redundant DNS query. • If the size of IP list do not exceed the size threshold • the domain name is legitimate which already exist in a whitelist • Detect-BotDNS-Query • We define and compute numerical value of group activity of botnet DNS, called similarity. • We let S denote the similarity such that

    12. DNS-Based Botnet Detection Mechanism(3/3) • Migrating Botnet Detection Algorithm (MBDA) • The first and second stage( Insert-DNS-Query and Delete-DNS-Query) are same but third step of algorithm is different. • bots use two different domain name of C&C server, therefore we compare the IP lists of different domain name which have similar size of IP list. • Botnet Detection System • The botnet detection system that combines both of botnet query detection and migrating botnet detection, requires DNS traffic data. • Moreover, the system is sensitive to the threshold values so, it must be carefully decided.

    13. Evaluation(1/4) • We made the scenario script for verifying the algorithms and the scenario includes • botnet construction • rally to the C&C server • command and control for spam mailing, DDoS attack, C&C server migration • We also migrates our botnet from root IRC C&C server to candidate IRC server for verifying the migrating botnet detection algorithm. • A time unit is 1 hour and a size threshold for the detection algorithm is 5(size of IP List) and similarity threshold is 0.8.

    14. Evaluation(2/4)

    15. Evaluation(3/4)

    16. Evaluation(4/4)

    17. Discussion • The botnet can evade our algorithms when the botnet uses DNS only at initializing and never use it again (moreover, do not migrate the botnet). • It is possible to paralyze our algorithm with intentionally generated DNS queries that spoof their sources.

    18. Conclusion • It is necessary to provide appropriate countermeasure botnet which become a one of the biggest threat of network security and major contributor to unwanted network traffic. • we researched a simple mechanism to detect a botnet by using a DNS queries which used by botnet. • The two different algorithm for botnet detection are proposed and both can detect the specific activity of botnet nicely.