On Similarities of String and Query Sequence for DGA Botnet Detection

論文翻譯標題: 基於字串及查詢時序性相似度分析之DGA形態殭屍網路偵測機制
  • 張 存德

學生論文: Master's Thesis


The Internet plays an important role in people’s lives nowadays However Internet security is a major concern Among the various threats facing the Internet and Internet users are so-called botnet attacks In such an attack hundreds or even thousands of devices (known as bots) are compromised by malicious websites or malware and are then controlled by the botmaster through a C&C controller to perform various nefarious activities such as DDOS attacks phishing spam distribution and so on Domain Generation Algorithm (DGA) botnets are particularly resilient to detection since they generate a large number of domains (upwards of tens of thousands per day) and simply change to a new domain if the current domain is compromised Crucially the botmaster needs only to register one domain name to carry out C&C activity whereas defenders must block all of the generated domains in order to thwart the attack Accordingly this thesis presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system In the proposed approach the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm The nature of each group (i e malicious or benign) is then identified by means of a Sequence Similarity Module based on the Sorensen-Dice Coefficient and a Query Sequence Similarity Module based on an inspection of the query timing sequence It is shown that the proposed method successfully detects various types of botnet in a real-world large scale network
獎項日期2017 9月 7
監督員Hui-Tang Lin (Supervisor)