1 / 17

Botnet Detection by Monitoring Group Activities in DNS Traffic

Botnet Detection by Monitoring Group Activities in DNS Traffic. Speaker: Jun-Yi Zheng 2009/11/23. Reference.

rinaldo
Download Presentation

Botnet Detection by Monitoring Group Activities in DNS Traffic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnet Detection by Monitoring Group Activities in DNS Traffic Speaker: Jun-Yi Zheng 2009/11/23

  2. Reference • H. Choi, H. Lee, H. Lee, and H. Kim. Botnet detection bymonitoring group activities in dns traffic. In Proceedings ofthe 7th IEEE International Conference on Computer and InformationTechnology (CIT’07), Washington, DC, October2007.

  3. Outline • INTRODUCTION • FEATURES of BOTNET DNS • DNS-BASED BOTNET DETECTION MECHANISM • EVALUATION • CONCLUSION

  4. Introduction • Most of bots use DNS in rallying process

  5. Rally Problem • Static IP address or DDNS?

  6. C&C Server Migration • Botnets were migrate their C&C server frequently • There observed most of them (65%) are moved only up for 1 day

  7. Features of Botnet DNS • At the rallying procedure • At the malicious behaviors of a botnet • At C&C server link failures • At C&C server migration • At C&C server IP address changes

  8. Differences

  9. Botnet DNS Query Detection Algorithm • Insert-DNS-Query

  10. A C B Botnet DNS Query Detection Algorithm • Delete-DNS-Query • If the size of IP list do not exceed the size threshold or the domain name is legitimate which already exist in a whitelist • Detect-BotDNS-Query • Similarity

  11. Migrating Botnet Detection Algorithm • Insert-DNS-Query • Delete-DNS-Query • Detect-BotDNS-Query • compare the IP lists of different domain name which have similar size of IP list

  12. Evaluation • the system is executed on a campus network with botnet • 50 machines are used in the botnet (Agobot) • captured the traffic for 10 hours • parameter • A time unit is 1 hour • A size threshold for the detection algorithm is 5(size of IP List) • similarity threshold is 0.8

  13. Botnet DNS Query Detection • During 1 hour Over 80% was 1 92.5% 5

  14. (a),(c),(d),(e) were identified as P2P cites or a cite of enormous size of file transferring Botnet DNS Query Detection

  15. Migrating Botnet Detection • the ”similar size” are settled within 10% of the size of IP list

  16. Conclusions • significant features of botnet DNS queries • a simple mechanism to detect a botnet by using a DNS queries • The two different algorithm for botnet detection

More Related