TY - GEN
T1 - DGA botnet detection utilizing social network analysis
AU - Wang, Tzy Shiah
AU - Lin, Chih Sheng
AU - Lin, Hui Tang
N1 - Funding Information:
This work was supported in part by Taiwan Information Security Center (TWISC), Academia Sinica, and Ministry of Science and Technology, R.O.C., under Grant No. MOST 103-2221-E-006-147-MY3 and MOST 104-2218-E-001-002.
PY - 2016/8/16
Y1 - 2016/8/16
N2 - Botnets are one of the major threats to network security. A botnet can launch attacks by stealing information, phishing sites, sending spam mail and setting up distributed denial of service (DDoS). Some botnets called Domain Generation Algorithm (DGA) Botnets apply a domain generation algorithm to avoid being detected by the traditional blacklist detection scheme. Using a domain generation algorithm, a DGA bot periodically generates a huge list of candidate Command and Control server (C&C) domains. The bot then attempts to connect to the C&C server by querying DNS servers for the domains on the list one by one until it connects to an existing C&C server. By doing this, DGA botnets become very elusive and difficult to detect by traditional defending systems and thus have high survivability. To resolve this issue, this study proposes a DGA botnet detection mechanism utilizing the feature-based characteristics of social networks. The effectiveness of this mechanism was measured by implementing it in a campus network environment and observing it over eighteen months. The most interesting finding of this experiment is a new class of DGA botnet with a query pattern that has not been detected before. The results show that the proposed mechanism has the ability to accurately and effectively detect both well-known and new malicious DGA botnets in real-world networks.
AB - Botnets are one of the major threats to network security. A botnet can launch attacks by stealing information, phishing sites, sending spam mail and setting up distributed denial of service (DDoS). Some botnets called Domain Generation Algorithm (DGA) Botnets apply a domain generation algorithm to avoid being detected by the traditional blacklist detection scheme. Using a domain generation algorithm, a DGA bot periodically generates a huge list of candidate Command and Control server (C&C) domains. The bot then attempts to connect to the C&C server by querying DNS servers for the domains on the list one by one until it connects to an existing C&C server. By doing this, DGA botnets become very elusive and difficult to detect by traditional defending systems and thus have high survivability. To resolve this issue, this study proposes a DGA botnet detection mechanism utilizing the feature-based characteristics of social networks. The effectiveness of this mechanism was measured by implementing it in a campus network environment and observing it over eighteen months. The most interesting finding of this experiment is a new class of DGA botnet with a query pattern that has not been detected before. The results show that the proposed mechanism has the ability to accurately and effectively detect both well-known and new malicious DGA botnets in real-world networks.
UR - http://www.scopus.com/inward/record.url?scp=84986204163&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84986204163&partnerID=8YFLogxK
U2 - 10.1109/IS3C.2016.93
DO - 10.1109/IS3C.2016.93
M3 - Conference contribution
AN - SCOPUS:84986204163
T3 - Proceedings - 2016 IEEE International Symposium on Computer, Consumer and Control, IS3C 2016
SP - 333
EP - 336
BT - Proceedings - 2016 IEEE International Symposium on Computer, Consumer and Control, IS3C 2016
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2016 IEEE International Symposium on Computer, Consumer and Control, IS3C 2016
Y2 - 4 July 2016 through 6 July 2016
ER -