Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnet Detection by Monitoring Group Activities in DNS Traffic

Published byShinta Agusalim Modified over 5 years ago

Similar presentations

Presentation on theme: "Botnet Detection by Monitoring Group Activities in DNS Traffic"— Presentation transcript:

1 Botnet Detection by Monitoring Group Activities in DNS Traffic
Speaker: Jun-Yi Zheng 2009/11/23

2 Reference H. Choi, H. Lee, H. Lee, and H. Kim. Botnet detection by monitoring group activities in dns traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology (CIT’07), Washington, DC, October 2007.

3 Outline INTRODUCTION FEATURES of BOTNET DNS
DNS-BASED BOTNET DETECTION MECHANISM EVALUATION CONCLUSION

4 Introduction Most of bots use DNS in rallying process

5 Rally Problem Static IP address or DDNS?

6 C&C Server Migration Botnets were migrate their C&C server frequently
There observed most of them (65%) are moved only up for 1 day

7 Features of Botnet DNS At the rallying procedure
At the malicious behaviors of a botnet At C&C server link failures At C&C server migration At C&C server IP address changes

8 Differences Source IPs accessed to domain name
Activity and Appearance Patterns DNS Type Botnet DNS Fixed size Group (Botnet members) Group activity Intermittently appeared (Specific situation) Usually DDNS Legitimate Anonymous (Legitimate users) Non-group activity Randomly and continuously appered (Usually)

9 Botnet DNS Query Detection Algorithm
Insert-DNS-Query

10 Botnet DNS Query Detection Algorithm
Delete-DNS-Query If the size of IP list do not exceed the size threshold or the domain name is legitimate which already exist in a whitelist Detect-BotDNS-Query Similarity A C B

11

12 Migrating Botnet Detection Algorithm
Insert-DNS-Query Delete-DNS-Query Detect-BotDNS-Query compare the IP lists of different domain name which have similar size of IP list

13 Evaluation the system is executed on a campus network with botnet
50 machines are used in the botnet (Agobot) captured the traffic for 10 hours parameter A time unit is 1 hour A size threshold for the detection algorithm is 5(size of IP List) similarity threshold is 0.8

14 Botnet DNS Query Detection
During 1 hour Over 80% was 1 92.5% 5

15 Botnet DNS Query Detection
(a),(c),(d),(e) were identified as P2P cites or a cite of enormous size of file transferring

16 Migrating Botnet Detection
the ”similar size” are settled within 10% of the size of IP list

17 Conclusions significant features of botnet DNS queries
a simple mechanism to detect a botnet by using a DNS queries The two different algorithm for botnet detection

Download ppt "Botnet Detection by Monitoring Group Activities in DNS Traffic"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.

B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.

WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Similar presentations

Ads by Google