Monitoring the DNS Infrastructure for Proactive Botnet Detection

Christian Dietz; Anna Sperotto; Gabi Dreo; Aiko Pras

Monitoring the DNS Infrastructure for Proactive Botnet Detection

Christian Dietz
, Anna Sperotto
, Gabi Dreo
, Aiko Pras

Design and Analysis of Communication Systems

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic

99 Downloads (Pure)

Abstract

Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-ﬂux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to ﬿nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach bene﬿ts from its overview of the network that allows to discover behavioural similarities of diﬀerent connected systems. The bene﬿t of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP ﬂows, we are able to tackle botnets throughout their whole life-cycle.

Original language	English
Title of host publication	Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016)
Place of Publication	Germany
Publisher	Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI)
Pages	3-4
Number of pages	2
Publication status	Published - Jun 2016
Event	11th SPRING Gaduate Workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI), SPRING 2016 - Darmstadt, Germany Duration: 2 Jun 2016 → 3 Jun 2016 Conference number: 11

Publication series

Name	SIDAR reports
Publisher	Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI)
Volume	SR-2016-01
ISSN (Print)	2190-846X

Workshop

Workshop	11th SPRING Gaduate Workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI), SPRING 2016
Abbreviated title	SPRING
Country/Territory	Germany
City	Darmstadt
Period	2/06/16 → 3/06/16

Keywords

Threat detection
DNS monitoring
Anomaly detection
Botnet

Access to Document

ArticleFinal published version, 368 KB

1 Book editing

SPRING 2016, Darmstadt, Germany: Proceedings of the 11th SPRING graduate workshop of the special interest group Security – Intrusion Detection and Response (SIDAR) of the German informatics Society (GI)
Steinberger, J. (Editor), Jun 2016, Germany: German Informatics Society (GI). 22 p. (SIDAR-Reports; vol. SR-2016-01)
Research output: Book/Report › Book editing › Academic

Open Access
File

Cite this

Dietz, C., Sperotto, A., Dreo, G., & Pras, A. (2016). Monitoring the DNS Infrastructure for Proactive Botnet Detection. In Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016) (pp. 3-4). (SIDAR reports; Vol. SR-2016-01). Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI).

Dietz, Christian ; Sperotto, Anna ; Dreo, Gabi et al. / Monitoring the DNS Infrastructure for Proactive Botnet Detection. Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016). Germany : Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI), 2016. pp. 3-4 (SIDAR reports).

@inproceedings{a274ef79818145e68d9e1adc00fee450,

title = "Monitoring the DNS Infrastructure for Proactive Botnet Detection",

abstract = "Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C\&C infrastructures. First, they use P2P techniques and domain fast-ﬂux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to ﬿nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach bene﬿ts from its overview of the network that allows to discover behavioural similarities of diﬀerent connected systems. The bene﬿t of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP ﬂows, we are able to tackle botnets throughout their whole life-cycle.",

keywords = "Threat detection, DNS monitoring, Anomaly detection, Botnet",

author = "Christian Dietz and Anna Sperotto and Gabi Dreo and Aiko Pras",

year = "2016",

month = jun,

language = "English",

series = "SIDAR reports",

publisher = "Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI)",

pages = "3--4",

booktitle = "Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016)",

note = "11th SPRING Gaduate Workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI), SPRING 2016, SPRING ; Conference date: 02-06-2016 Through 03-06-2016",

}

Dietz, C, Sperotto, A, Dreo, G & Pras, A 2016, Monitoring the DNS Infrastructure for Proactive Botnet Detection. in Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016). SIDAR reports, vol. SR-2016-01, Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI), Germany, pp. 3-4, 11th SPRING Gaduate Workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI), SPRING 2016, Darmstadt, Germany, 2/06/16.

Monitoring the DNS Infrastructure for Proactive Botnet Detection. / Dietz, Christian; Sperotto, Anna; Dreo, Gabi et al.
Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016). Germany: Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI), 2016. p. 3-4 (SIDAR reports; Vol. SR-2016-01).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic

TY - GEN

T1 - Monitoring the DNS Infrastructure for Proactive Botnet Detection

AU - Dietz, Christian

AU - Sperotto, Anna

AU - Dreo, Gabi

AU - Pras, Aiko

N1 - Conference code: 11

PY - 2016/6

Y1 - 2016/6

N2 - Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-ﬂux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to ﬿nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach bene﬿ts from its overview of the network that allows to discover behavioural similarities of diﬀerent connected systems. The bene﬿t of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP ﬂows, we are able to tackle botnets throughout their whole life-cycle.

AB - Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-ﬂux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to ﬿nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach bene﬿ts from its overview of the network that allows to discover behavioural similarities of diﬀerent connected systems. The bene﬿t of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP ﬂows, we are able to tackle botnets throughout their whole life-cycle.

KW - Threat detection

KW - DNS monitoring

KW - Anomaly detection

KW - Botnet

M3 - Conference contribution

T3 - SIDAR reports

SP - 3

EP - 4

BT - Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016)

PB - Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI)

CY - Germany

T2 - 11th SPRING Gaduate Workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI), SPRING 2016

Y2 - 2 June 2016 through 3 June 2016

ER -

Dietz C, Sperotto A, Dreo G, Pras A. Monitoring the DNS Infrastructure for Proactive Botnet Detection. In Proceedings of the 11th SPRING graduate workshop of the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) (SPRING 2016). Germany: Special interest group Security - Intrusion Detection and Response (SIDAR) German Informatics Society (GI). 2016. p. 3-4. (SIDAR reports).

Monitoring the DNS Infrastructure for Proactive Botnet Detection

Abstract

Publication series

Workshop

Keywords

Access to Document

Fingerprint

Research output

SPRING 2016, Darmstadt, Germany: Proceedings of the 11th SPRING graduate workshop of the special interest group Security – Intrusion Detection and Response (SIDAR) of the German informatics Society (GI)

Cite this