TY - GEN
T1 - On similarities of string and query sequence for DGA botnet detection
AU - Chang, Chun De
AU - Lin, Hui Tang
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/4/19
Y1 - 2018/4/19
N2 - The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.
AB - The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.
UR - http://www.scopus.com/inward/record.url?scp=85047015528&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85047015528&partnerID=8YFLogxK
U2 - 10.1109/ICOIN.2018.8343094
DO - 10.1109/ICOIN.2018.8343094
M3 - Conference contribution
AN - SCOPUS:85047015528
T3 - International Conference on Information Networking
SP - 104
EP - 109
BT - 32nd International Conference on Information Networking, ICOIN 2018
PB - IEEE Computer Society
T2 - 32nd International Conference on Information Networking, ICOIN 2018
Y2 - 10 January 2018 through 12 January 2018
ER -