On Similarities of String and Query Sequence for DGA Botnet Detection

  • 張 存德

Student thesis: Master's Thesis


The Internet plays an important role in people’s lives nowadays However Internet security is a major concern Among the various threats facing the Internet and Internet users are so-called botnet attacks In such an attack hundreds or even thousands of devices (known as bots) are compromised by malicious websites or malware and are then controlled by the botmaster through a C&C controller to perform various nefarious activities such as DDOS attacks phishing spam distribution and so on Domain Generation Algorithm (DGA) botnets are particularly resilient to detection since they generate a large number of domains (upwards of tens of thousands per day) and simply change to a new domain if the current domain is compromised Crucially the botmaster needs only to register one domain name to carry out C&C activity whereas defenders must block all of the generated domains in order to thwart the attack Accordingly this thesis presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system In the proposed approach the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm The nature of each group (i e malicious or benign) is then identified by means of a Sequence Similarity Module based on the Sorensen-Dice Coefficient and a Query Sequence Similarity Module based on an inspection of the query timing sequence It is shown that the proposed method successfully detects various types of botnet in a real-world large scale network
Date of Award2017 Sept 7
Original languageEnglish
SupervisorHui-Tang Lin (Supervisor)

Cite this