How to Achieve Early Botnet Detection at the Provider Level?

  • 1 Citations

Abstract

Botnets are an enabler for many cyber-criminal activities and often responsible for DDoS attacks, banking fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide their complex and distributed C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. Both, the actions to increase the resilience and the prevention of signature based detection are counteractions against detection techniques. In contrast to existing approaches, our novel approach includes DNS registration behaviour, which we currently analyse for the .com, .net and .org domains, representing half of registered domains on the Internet. Hence, the goal of this PhD research is to enable early detection of the deployment and operation of botnets to facilitate proactive mitigation strategies, whereas current approaches usually detect botnets while these are already in active use. Consequently, this proactive approach prevents botnets to fully evolve their size and attack power. Moreover, as many end users are unable to detect and clean infected machines, our approach tackles the botnet phenomenon without requiring any end user involvement, by incorporating ISPs and domain name registrars. In addition, this will enable the discovery of similar behaviour of different connected systems, which allows detection in cases where bots are registered under domains that are not willing to cooperate.
Original languageUndefined
Title of host publicationProceedings of the 10th IFIP WG 6.6 International Conference on Management and Security in the Age of Hyperconnectivity, AIMS 2016
Place of PublicationLondon
PublisherSpringer Verlag
Pages142-146
Number of pages5
ISBN (Print)978-3-319-39813-6
DOIs
StatePublished - Jun 2016

Publication series

NameLecture Notes in Computer Science
PublisherSpringer Verlag
Volume9701
ISSN (Print)0302-9743

Fingerprint

Internet
Fluxes
Communication

Keywords

  • Botnet
  • IP flow monitoring
  • Domain registration behaviour
  • DNS
  • Coordinated cyber threats
  • Early detection
  • EWI-27837
  • Provider network

Cite this

Dietz, C., Sperotto, A., Dreo, G., & Pras, A. (2016). How to Achieve Early Botnet Detection at the Provider Level? In Proceedings of the 10th IFIP WG 6.6 International Conference on Management and Security in the Age of Hyperconnectivity, AIMS 2016 (pp. 142-146). (Lecture Notes in Computer Science; Vol. 9701). London: Springer Verlag. DOI: 10.1007/978-3-319-39814-3_15

Dietz, Christian; Sperotto, Anna; Dreo, G.; Pras, Aiko / How to Achieve Early Botnet Detection at the Provider Level?

Proceedings of the 10th IFIP WG 6.6 International Conference on Management and Security in the Age of Hyperconnectivity, AIMS 2016. London : Springer Verlag, 2016. p. 142-146 (Lecture Notes in Computer Science; Vol. 9701).

Research output: Scientific - peer-reviewConference contribution

@inbook{0dbdb036d82c442b8dc80a016d29a707,
title = "How to Achieve Early Botnet Detection at the Provider Level?",
abstract = "Botnets are an enabler for many cyber-criminal activities and often responsible for DDoS attacks, banking fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide their complex and distributed C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. Both, the actions to increase the resilience and the prevention of signature based detection are counteractions against detection techniques. In contrast to existing approaches, our novel approach includes DNS registration behaviour, which we currently analyse for the .com, .net and .org domains, representing half of registered domains on the Internet. Hence, the goal of this PhD research is to enable early detection of the deployment and operation of botnets to facilitate proactive mitigation strategies, whereas current approaches usually detect botnets while these are already in active use. Consequently, this proactive approach prevents botnets to fully evolve their size and attack power. Moreover, as many end users are unable to detect and clean infected machines, our approach tackles the botnet phenomenon without requiring any end user involvement, by incorporating ISPs and domain name registrars. In addition, this will enable the discovery of similar behaviour of different connected systems, which allows detection in cases where bots are registered under domains that are not willing to cooperate.",
keywords = "Botnet, IP flow monitoring, Domain registration behaviour, DNS, Coordinated cyber threats, Early detection, EWI-27837, Provider network",
author = "Christian Dietz and Anna Sperotto and G. Dreo and Aiko Pras",
year = "2016",
month = "6",
doi = "10.1007/978-3-319-39814-3_15",
isbn = "978-3-319-39813-6",
series = "Lecture Notes in Computer Science",
publisher = "Springer Verlag",
pages = "142--146",
booktitle = "Proceedings of the 10th IFIP WG 6.6 International Conference on Management and Security in the Age of Hyperconnectivity, AIMS 2016",

}

Dietz, C, Sperotto, A, Dreo, G & Pras, A 2016, How to Achieve Early Botnet Detection at the Provider Level? in Proceedings of the 10th IFIP WG 6.6 International Conference on Management and Security in the Age of Hyperconnectivity, AIMS 2016. Lecture Notes in Computer Science, vol. 9701, Springer Verlag, London, pp. 142-146. DOI: 10.1007/978-3-319-39814-3_15

How to Achieve Early Botnet Detection at the Provider Level? / Dietz, Christian; Sperotto, Anna; Dreo, G.; Pras, Aiko.

Proceedings of the 10th IFIP WG 6.6 International Conference on Management and Security in the Age of Hyperconnectivity, AIMS 2016. London : Springer Verlag, 2016. p. 142-146 (Lecture Notes in Computer Science; Vol. 9701).

Research output: Scientific - peer-reviewConference contribution

TY - CHAP

T1 - How to Achieve Early Botnet Detection at the Provider Level?

AU - Dietz,Christian

AU - Sperotto,Anna

AU - Dreo,G.

AU - Pras,Aiko

PY - 2016/6

Y1 - 2016/6

N2 - Botnets are an enabler for many cyber-criminal activities and often responsible for DDoS attacks, banking fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide their complex and distributed C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. Both, the actions to increase the resilience and the prevention of signature based detection are counteractions against detection techniques. In contrast to existing approaches, our novel approach includes DNS registration behaviour, which we currently analyse for the .com, .net and .org domains, representing half of registered domains on the Internet. Hence, the goal of this PhD research is to enable early detection of the deployment and operation of botnets to facilitate proactive mitigation strategies, whereas current approaches usually detect botnets while these are already in active use. Consequently, this proactive approach prevents botnets to fully evolve their size and attack power. Moreover, as many end users are unable to detect and clean infected machines, our approach tackles the botnet phenomenon without requiring any end user involvement, by incorporating ISPs and domain name registrars. In addition, this will enable the discovery of similar behaviour of different connected systems, which allows detection in cases where bots are registered under domains that are not willing to cooperate.

AB - Botnets are an enabler for many cyber-criminal activities and often responsible for DDoS attacks, banking fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide their complex and distributed C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. Both, the actions to increase the resilience and the prevention of signature based detection are counteractions against detection techniques. In contrast to existing approaches, our novel approach includes DNS registration behaviour, which we currently analyse for the .com, .net and .org domains, representing half of registered domains on the Internet. Hence, the goal of this PhD research is to enable early detection of the deployment and operation of botnets to facilitate proactive mitigation strategies, whereas current approaches usually detect botnets while these are already in active use. Consequently, this proactive approach prevents botnets to fully evolve their size and attack power. Moreover, as many end users are unable to detect and clean infected machines, our approach tackles the botnet phenomenon without requiring any end user involvement, by incorporating ISPs and domain name registrars. In addition, this will enable the discovery of similar behaviour of different connected systems, which allows detection in cases where bots are registered under domains that are not willing to cooperate.

KW - Botnet

KW - IP flow monitoring

KW - Domain registration behaviour

KW - DNS

KW - Coordinated cyber threats

KW - Early detection

KW - EWI-27837

KW - Provider network

U2 - 10.1007/978-3-319-39814-3_15

DO - 10.1007/978-3-319-39814-3_15

M3 - Conference contribution

SN - 978-3-319-39813-6

T3 - Lecture Notes in Computer Science

SP - 142

EP - 146

BT - Proceedings of the 10th IFIP WG 6.6 International Conference on Management and Security in the Age of Hyperconnectivity, AIMS 2016

PB - Springer Verlag

ER -

Dietz C, Sperotto A, Dreo G, Pras A. How to Achieve Early Botnet Detection at the Provider Level? In Proceedings of the 10th IFIP WG 6.6 International Conference on Management and Security in the Age of Hyperconnectivity, AIMS 2016. London: Springer Verlag. 2016. p. 142-146. (Lecture Notes in Computer Science). Available from, DOI: 10.1007/978-3-319-39814-3_15