Monitoring the DNS Infrastructure for Proactive Botnet Detection

Christian Dietz, Anna Sperotto, G. Dreo, Aiko Pras

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademic

    40 Downloads (Pure)

    Abstract

    Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to ﬿nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach bene﬿ts from its overview of the network that allows to discover behavioural similarities of different connected systems. The bene﬿t of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP flows, we are able to tackle botnets throughout their whole life-cycle.
    Original languageUndefined
    Title of host publicationProceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016)
    Place of PublicationGermany
    PublisherSpecial interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI)
    Pages3-4
    Number of pages2
    Publication statusPublished - Jun 2016

    Publication series

    NameSIDAR reports
    PublisherSpecial interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI)
    VolumeSR-2016-01
    ISSN (Print)2190-846X

    Keywords

    • Threat Detection
    • DNS Monitoring
    • Anomaly Detection
    • Botnet
    • EWI-27839

    Cite this

    Dietz, C., Sperotto, A., Dreo, G., & Pras, A. (2016). Monitoring the DNS Infrastructure for Proactive Botnet Detection. In Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016) (pp. 3-4). (SIDAR reports; Vol. SR-2016-01). Germany: Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI).
    Dietz, Christian ; Sperotto, Anna ; Dreo, G. ; Pras, Aiko. / Monitoring the DNS Infrastructure for Proactive Botnet Detection. Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016). Germany : Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI), 2016. pp. 3-4 (SIDAR reports).
    @inproceedings{a274ef79818145e68d9e1adc00fee450,
    title = "Monitoring the DNS Infrastructure for Proactive Botnet Detection",
    abstract = "Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to ﬿nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach bene﬿ts from its overview of the network that allows to discover behavioural similarities of different connected systems. The bene﬿t of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP flows, we are able to tackle botnets throughout their whole life-cycle.",
    keywords = "Threat Detection, DNS Monitoring, Anomaly Detection, Botnet, EWI-27839",
    author = "Christian Dietz and Anna Sperotto and G. Dreo and Aiko Pras",
    year = "2016",
    month = "6",
    language = "Undefined",
    series = "SIDAR reports",
    publisher = "Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI)",
    pages = "3--4",
    booktitle = "Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016)",

    }

    Dietz, C, Sperotto, A, Dreo, G & Pras, A 2016, Monitoring the DNS Infrastructure for Proactive Botnet Detection. in Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016). SIDAR reports, vol. SR-2016-01, Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI), Germany, pp. 3-4.

    Monitoring the DNS Infrastructure for Proactive Botnet Detection. / Dietz, Christian; Sperotto, Anna; Dreo, G.; Pras, Aiko.

    Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016). Germany : Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI), 2016. p. 3-4 (SIDAR reports; Vol. SR-2016-01).

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademic

    TY - GEN

    T1 - Monitoring the DNS Infrastructure for Proactive Botnet Detection

    AU - Dietz, Christian

    AU - Sperotto, Anna

    AU - Dreo, G.

    AU - Pras, Aiko

    PY - 2016/6

    Y1 - 2016/6

    N2 - Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to ﬿nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach bene﬿ts from its overview of the network that allows to discover behavioural similarities of different connected systems. The bene﬿t of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP flows, we are able to tackle botnets throughout their whole life-cycle.

    AB - Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to ﬿nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach bene﬿ts from its overview of the network that allows to discover behavioural similarities of different connected systems. The bene﬿t of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP flows, we are able to tackle botnets throughout their whole life-cycle.

    KW - Threat Detection

    KW - DNS Monitoring

    KW - Anomaly Detection

    KW - Botnet

    KW - EWI-27839

    M3 - Conference contribution

    T3 - SIDAR reports

    SP - 3

    EP - 4

    BT - Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016)

    PB - Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI)

    CY - Germany

    ER -

    Dietz C, Sperotto A, Dreo G, Pras A. Monitoring the DNS Infrastructure for Proactive Botnet Detection. In Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016). Germany: Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI). 2016. p. 3-4. (SIDAR reports).