A framework for DNS based detection and mitigation of malware infections on a network (original) (raw)
Related papers
A survey of botnet detection based on DNS
Botnet is a thorny and a grave problem of today’s Internet, resulting in economic damage for organizations and individuals. Botnet is a group of compromised hosts running malicious software program for malicious purposes, known as bots. It is also worth mentioning that the current trend of botnets is to hide their identities (i.e., the command and control server) using the DNS services to hinder their identification process. Fortunately, different approaches have been proposed and developed to tackle the problem of botnets; however, the problem still rises and emerges causing serious threat to the cyberspace-based businesses and individuals. Therefore, this paper comes up to explore the various botnet detection techniques through providing a survey to observe the current state of the art in the field of botnet detection techniques based on DNS traffic analysis. To the best of our knowledge, this is the first survey to discuss DNS-based botnet detection techniques in which the problems, existing solutions and the future research direction in the field of botnet detection based on DNS traffic analysis for effective botnet detection mechanisms in the future are explored and clarified.
Detecting Malware Domains: A Cyber-Threat Alarm System
1st EAI International Conference on Emerging Technologies for Developing Countries, 2017
Throughout the years, hackers' intentions' varied from curiosity, to financial gains, to political statements. Armed with their botnets, bot masters could crash a server or website. Statistics show that botnet activity accounts for 29% of the Internet traffic. But how can bot masters establish undetected communication with their botnets? The answer lies in the Domain Name System (DNS), using which hackers host their own domain and assign to it changing IP addresses to avoid being detected. In this paper, we propose a multi-factor cyber-threat detection system that relies on DNS traffic analysis for the detection of malicious domains. The proposed system was implemented, and tested, and the results yielded are very promising.
Botnet Detection Based On Machine Learning Techniques Using DNS Query Data
Future Internet, 2018
In recent years, botnets have become one of the major threats to information security because they have been constantly evolving in both size and sophistication. A number of botnet detection measures, such as honeynet-based and Intrusion Detection System (IDS)-based, have been proposed. However, IDS-based solutions that use signatures seem to be ineffective because recent botnets are equipped with sophisticated code update and evasion techniques. A number of studies have shown that abnormal botnet detection methods are more effective than signature-based methods because anomaly-based botnet detection methods do not require pre-built botnet signatures and hence they have the capability to detect new or unknown botnets. In this direction, this paper proposes a botnet detection model based on machine learning using Domain Name Service query data and evaluates its effectiveness using popular machine learning techniques. Experimental results show that machine learning algorithms can be used effectively in botnet detection and the random forest algorithm produces the best overall detection accuracy of over 90%.
Detecting Botnet Activities Based on Abnormal DNS traffic
Arxiv preprint arXiv: …, 2009
The botnet is considered as a critical issue of the Internet due to its fast growing mechanism and affect. Recently, Botnets have utilized the DNS and query DNS server just like any legitimate hosts. In this case, it is difficult to distinguish between the legitimate DNS traffic and illegitimate DNS traffic. It is important to build a suitable solution for botnet detection in the DNS traffic and consequently protect the network from the malicious Botnets activities. In this paper, a simple mechanism is proposed to monitors the DNS traffic and detects the abnormal DNS traffic issued by the botnet based on the fact that botnets appear as a group of hosts periodically. The proposed mechanism is also able to classify the DNS traffic requested by group of hosts (group behavior) and single hosts (individual behavior), consequently detect the abnormal domain name issued by the malicious Botnets. Finally, the experimental results proved that the proposed mechanism is robust and able to classify DNS traffic, and efficiently detects the botnet activity with average detection rate of 89%.
Hybrid rule-based botnet detection approach using machine learning for analysing DNS traffic
2021
Botnets can simultaneously control millions of Internet-connected devices to launch damaging cyber-attacks that pose significant threats to the Internet. In a botnet, bot-masters communicate with the command and control server using various communication protocols. One of the widely used communication protocols is the ‘Domain Name System’ (DNS) service, an essential Internet service. Bot-masters utilise Domain Generation Algorithms (DGA) and fast-flux techniques to avoid static blacklists and reverse engineering while remaining flexible. However, botnet’s DNS communication generates anomalous DNS traffic throughout the botnet life cycle, and such anomaly is considered an indicator of DNS-based botnets presence in the network. Despite several approaches proposed to detect botnets based on DNS traffic analysis; however, the problem still exists and is challenging due to several reasons, such as not considering significant features and rules that contribute to the detection of DNS-base...
Detecting and Preventing the Malicious System based on DNS Analysis
Attackers, usually busy to launch malicious threat to damage the compromised host. Botnet's are newly developed technology by attackers and its duty to increase the traffic in DNS service to launch attacks. Due to increased traffic in DNS, botmaster's create a new channel between server and client; it has capability to command and control the Operating System and automatic generating more queries over DNS to increase the Traffic. Many botnet operators used HTTP server to pass the information. In this paper, we proposed viable approach called Wide Packet Inspection to analyze the DNS traffic to control and avoid the Botnet. This paper provides a countermeasure against botnet operators to slow down the bot activity.
Detecting Malicious Fast-Flux Domains Using Feature-based Classification Techniques
Journal of Internet Technology, 2020
In recent years, new generation botnets tend to use an evasion technique based on Domain Name System (DNS) called Fast-Flux Service Network (FFSN) to hide the actual location of their malicious servers. Detection of FFSN continues to be a challenging issue because of the similar behavior between FFSN and other legitimate infrastructures, such as Content Delivery Networks (CDNs) and Round Robin Domain Name System (RRDNS). In this paper, we present a novel approach based on analyzing the passive DNS traffic traces to detect malicious FFSNs. By analyzing DNS traces, we extracted ten key features and employed on the popular machine learning algorithms to build classifiers aim to classify a domain as either malicious flux service or legitimate. The seven among the ten features are first introduced in this study. The effectiveness of selected features is illustrated by comparing the distribution of 95% confidence interval for the mean and standard errors between legit, malware and fast-fl...
REMaDD: Resource-Efficient Malicious Domains Detector in Large-Scale Networks
IEEE Access, 2020
Detecting malicious activities in cyber systems is a major challenge of cybersecurity service providers. Due to the large amount of network traffic, it is often likened to finding a needle in a haystack. Domain name system (DNS) is one of the fundamental protocols of the internet, and therefore it can give a broad view of those malicious activities, which abuse it and leave fingerprints as part of their attack vector. In this collaborative research between Ben-Gurion University, and IBM, a significant performance improvement was achieved in detecting malicious domains as compared to the state-of-the-art software solutions. Specifically, we establish a novel algorithm to detect malicious domains in large-scale DNS traffic, named Resource-Efficient Malicious Domain Detector (REMaDD), with the following desired properties. First, the algorithm does not require prior knowledge on historical malicious activities in its real-time operations. Second, the development used real live streaming data from The Inter-University Computation Center (IUCC), and operated on real-time IBM system. The algorithm is highly computational efficient and satisfies real-time requirements in terms of running time and computational complexity. REMaDD demonstrated strong performance in terms of both detection accuracy and computational efficiency as compared to existing algorithms. Specifically, experimental results on IBM production environment demonstrated that REMaDD achieved 89.4% Precision score, and 82.9% Recall score. By contrast, the DomainObserver, and LSTM.MI algorithms achieved only 76.7%, 67.2% Precision score, and 81.7%, 75.3% Recall score, respectively. INDEX TERMS Cyber security, Domain name system (DNS), Detection algorithms, Real-time algorithms.
Botnet detection based on DNS records and active probing
2011
Computers connected to Internet are constantly threatened by different types of malware. One of the most important malware are botnets that convert infected computers into agents that follow actions instructed by a command-and-control server. A botmaster can control thousands of agents. This means a significant capacity to accomplish any kind of network attack (DoS), email spam or phishing. In this paper, communication peculiarities with the command-and-control server are used to provide an identification of computers infected by a botnet. This identification is based mainly in DNS records of registered domains where command-and-control servers are hosted. Therefore, processing overhead is reduced avoiding per packet or per flow network supervision.
A Novel Approach for Detecting DGA-Based Botnets in DNS Queries Using Machine Learning Techniques
Journal of Computer Networks and Communications, 2021
In today’s security landscape, advanced threats are becoming increasingly difficult to detect as the pattern of attacks expands. Classical approaches that rely heavily on static matching, such as blacklisting or regular expression patterns, may be limited in flexibility or uncertainty in detecting malicious data in system data. This is where machine learning techniques can show their value and provide new insights and higher detection rates. The behavior of botnets that use domain-flux techniques to hide command and control channels was investigated in this research. The machine learning algorithm and text mining used to analyze the network DNS protocol and identify botnets were also described. For this purpose, extracted and labeled domain name datasets containing healthy and infected DGA botnet data were used. Data preprocessing techniques based on a text-mining approach were applied to explore domain name strings with n-gram analysis and PCA. Its performance is improved by extrac...