On similarities of string and query sequence for DGA botnet detection

Chun De Chang, Hui Tang Lin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.

Original languageEnglish
Title of host publication32nd International Conference on Information Networking, ICOIN 2018
PublisherIEEE Computer Society
Pages104-109
Number of pages6
ISBN (Electronic)9781538622896
DOIs
Publication statusPublished - 2018 Apr 19
Event32nd International Conference on Information Networking, ICOIN 2018 - Chiang Mai, Thailand
Duration: 2018 Jan 102018 Jan 12

Publication series

NameInternational Conference on Information Networking
Volume2018-January
ISSN (Print)1976-7684

Other

Other32nd International Conference on Information Networking, ICOIN 2018
CountryThailand
CityChiang Mai
Period18-01-1018-01-12

Fingerprint

Internet
Servers
Botnet
Inspection

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems

Cite this

Chang, C. D., & Lin, H. T. (2018). On similarities of string and query sequence for DGA botnet detection. In 32nd International Conference on Information Networking, ICOIN 2018 (pp. 104-109). (International Conference on Information Networking; Vol. 2018-January). IEEE Computer Society. https://doi.org/10.1109/ICOIN.2018.8343094
Chang, Chun De ; Lin, Hui Tang. / On similarities of string and query sequence for DGA botnet detection. 32nd International Conference on Information Networking, ICOIN 2018. IEEE Computer Society, 2018. pp. 104-109 (International Conference on Information Networking).
@inproceedings{ee94b15d4a2f45189d19e615db2deb61,
title = "On similarities of string and query sequence for DGA botnet detection",
abstract = "The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.",
author = "Chang, {Chun De} and Lin, {Hui Tang}",
year = "2018",
month = "4",
day = "19",
doi = "10.1109/ICOIN.2018.8343094",
language = "English",
series = "International Conference on Information Networking",
publisher = "IEEE Computer Society",
pages = "104--109",
booktitle = "32nd International Conference on Information Networking, ICOIN 2018",
address = "United States",

}

Chang, CD & Lin, HT 2018, On similarities of string and query sequence for DGA botnet detection. in 32nd International Conference on Information Networking, ICOIN 2018. International Conference on Information Networking, vol. 2018-January, IEEE Computer Society, pp. 104-109, 32nd International Conference on Information Networking, ICOIN 2018, Chiang Mai, Thailand, 18-01-10. https://doi.org/10.1109/ICOIN.2018.8343094

On similarities of string and query sequence for DGA botnet detection. / Chang, Chun De; Lin, Hui Tang.

32nd International Conference on Information Networking, ICOIN 2018. IEEE Computer Society, 2018. p. 104-109 (International Conference on Information Networking; Vol. 2018-January).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - On similarities of string and query sequence for DGA botnet detection

AU - Chang, Chun De

AU - Lin, Hui Tang

PY - 2018/4/19

Y1 - 2018/4/19

N2 - The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.

AB - The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.

UR - http://www.scopus.com/inward/record.url?scp=85047015528&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85047015528&partnerID=8YFLogxK

U2 - 10.1109/ICOIN.2018.8343094

DO - 10.1109/ICOIN.2018.8343094

M3 - Conference contribution

AN - SCOPUS:85047015528

T3 - International Conference on Information Networking

SP - 104

EP - 109

BT - 32nd International Conference on Information Networking, ICOIN 2018

PB - IEEE Computer Society

ER -

Chang CD, Lin HT. On similarities of string and query sequence for DGA botnet detection. In 32nd International Conference on Information Networking, ICOIN 2018. IEEE Computer Society. 2018. p. 104-109. (International Conference on Information Networking). https://doi.org/10.1109/ICOIN.2018.8343094