On similarities of string and query sequence for DGA botnet detection

Chun De Chang, Hui Tang Lin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Citations (Scopus)

Abstract

The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.

Original languageEnglish
Title of host publication32nd International Conference on Information Networking, ICOIN 2018
PublisherIEEE Computer Society
Pages104-109
Number of pages6
ISBN (Electronic)9781538622896
DOIs
Publication statusPublished - 2018 Apr 19
Event32nd International Conference on Information Networking, ICOIN 2018 - Chiang Mai, Thailand
Duration: 2018 Jan 102018 Jan 12

Publication series

NameInternational Conference on Information Networking
Volume2018-January
ISSN (Print)1976-7684

Other

Other32nd International Conference on Information Networking, ICOIN 2018
Country/TerritoryThailand
CityChiang Mai
Period18-01-1018-01-12

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems

Fingerprint

Dive into the research topics of 'On similarities of string and query sequence for DGA botnet detection'. Together they form a unique fingerprint.

Cite this