DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis

Tzy Shiah Wang, Hui Tang Lin, Wei Tsung Cheng, Chang Yu Chen

Research output: Contribution to journalArticle

27 Citations (Scopus)

Abstract

Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In such botnets, the DGA is used to generate a huge list of candidate Command and Control (C&C) server domains, and the bot then attempts to connect to an active C&C server by querying each DNS server in turn. DGA-based botnets are highly elusive and difficult to detect using traditional defensive mechanisms and therefore have a high survivability. Accordingly, this study proposes a DGA-based botnet detection scheme designated as DBod based on an analysis of the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very limited number of the domains are actually associated with an active C&C. The feasibility of the proposed method is evaluated using the DNS data collected from an education network environment over a period of 26 months. The results show that DBod provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks.

Original languageEnglish
Pages (from-to)1-15
Number of pages15
JournalComputers and Security
Volume64
DOIs
Publication statusPublished - 2017 Jan 1

Fingerprint

traffic
Servers
Network security
larceny
Botnet
candidacy
Education
threat
education

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Law

Cite this

Wang, Tzy Shiah ; Lin, Hui Tang ; Cheng, Wei Tsung ; Chen, Chang Yu. / DBod : Clustering and detecting DGA-based botnets using DNS traffic analysis. In: Computers and Security. 2017 ; Vol. 64. pp. 1-15.
@article{9b6e40606cc747d592c118b38e55627c,
title = "DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis",
abstract = "Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In such botnets, the DGA is used to generate a huge list of candidate Command and Control (C&C) server domains, and the bot then attempts to connect to an active C&C server by querying each DNS server in turn. DGA-based botnets are highly elusive and difficult to detect using traditional defensive mechanisms and therefore have a high survivability. Accordingly, this study proposes a DGA-based botnet detection scheme designated as DBod based on an analysis of the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very limited number of the domains are actually associated with an active C&C. The feasibility of the proposed method is evaluated using the DNS data collected from an education network environment over a period of 26 months. The results show that DBod provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks.",
author = "Wang, {Tzy Shiah} and Lin, {Hui Tang} and Cheng, {Wei Tsung} and Chen, {Chang Yu}",
year = "2017",
month = "1",
day = "1",
doi = "10.1016/j.cose.2016.10.001",
language = "English",
volume = "64",
pages = "1--15",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",

}

DBod : Clustering and detecting DGA-based botnets using DNS traffic analysis. / Wang, Tzy Shiah; Lin, Hui Tang; Cheng, Wei Tsung; Chen, Chang Yu.

In: Computers and Security, Vol. 64, 01.01.2017, p. 1-15.

Research output: Contribution to journalArticle

TY - JOUR

T1 - DBod

T2 - Clustering and detecting DGA-based botnets using DNS traffic analysis

AU - Wang, Tzy Shiah

AU - Lin, Hui Tang

AU - Cheng, Wei Tsung

AU - Chen, Chang Yu

PY - 2017/1/1

Y1 - 2017/1/1

N2 - Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In such botnets, the DGA is used to generate a huge list of candidate Command and Control (C&C) server domains, and the bot then attempts to connect to an active C&C server by querying each DNS server in turn. DGA-based botnets are highly elusive and difficult to detect using traditional defensive mechanisms and therefore have a high survivability. Accordingly, this study proposes a DGA-based botnet detection scheme designated as DBod based on an analysis of the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very limited number of the domains are actually associated with an active C&C. The feasibility of the proposed method is evaluated using the DNS data collected from an education network environment over a period of 26 months. The results show that DBod provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks.

AB - Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In such botnets, the DGA is used to generate a huge list of candidate Command and Control (C&C) server domains, and the bot then attempts to connect to an active C&C server by querying each DNS server in turn. DGA-based botnets are highly elusive and difficult to detect using traditional defensive mechanisms and therefore have a high survivability. Accordingly, this study proposes a DGA-based botnet detection scheme designated as DBod based on an analysis of the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very limited number of the domains are actually associated with an active C&C. The feasibility of the proposed method is evaluated using the DNS data collected from an education network environment over a period of 26 months. The results show that DBod provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks.

UR - http://www.scopus.com/inward/record.url?scp=84992220795&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84992220795&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2016.10.001

DO - 10.1016/j.cose.2016.10.001

M3 - Article

AN - SCOPUS:84992220795

VL - 64

SP - 1

EP - 15

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

ER -