TY - GEN
T1 - Monitoring the DNS Infrastructure for Proactive Botnet Detection
AU - Dietz, Christian
AU - Sperotto, Anna
AU - Dreo, G.
AU - Pras, Aiko
PY - 2016/6
Y1 - 2016/6
N2 - Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach benets from its overview of the network that allows to discover behavioural similarities of different connected systems. The benet of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP flows, we are able to tackle botnets throughout their whole life-cycle.
AB - Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach benets from its overview of the network that allows to discover behavioural similarities of different connected systems. The benet of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP flows, we are able to tackle botnets throughout their whole life-cycle.
KW - Threat Detection
KW - DNS Monitoring
KW - Anomaly Detection
KW - Botnet
KW - EWI-27839
M3 - Conference contribution
T3 - SIDAR reports
SP - 3
EP - 4
BT - Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016)
PB - Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI)
CY - Germany
T2 - 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016)
Y2 - 2 June 2016 through 3 June 2016
ER -