Xiaobo Ma,Junjie Zhang,Zhenhua Li,Jianfeng Li,Jing Tao,Xiaohong Guan,John C. S. Lui,Don Towsley

DOI: https://doi.org/10.1016/j.jnca.2014.09.016

IF: 7.574

2015-01-01

Journal of Network and Computer Applications

Abstract:As the hidden backbone of today׳s Internet, the Domain Name System (DNS) provides name resolution service for almost every networked application. To exploit the rich DNS query information for traffic engineering or user behavior analysis, both passive capturing and active probing techniques have been proposed in recent years. Despite its full visibility of DNS behaviors, the passive capturing technique suffers from prohibitive management cost and results in tremendous privacy concerns towards its large-scale and collaborative deployment. Comparatively, the active probing technique overcomes these limitations, providing broad-view and privacy-preserving DNS query analysis at the cost of constrained visibility of fine-grained DNS behavior. This paper aims to accurately estimate DNS query characteristics based on DNS cache activities, which can be acquired via active probing on a large scale at negligible management cost and minimized privacy concerns. Specifically, we have made three contributions: (1) we propose a novel solution, which integrates the renewal theory-based DNS caching formulation and the hyper-exponential distribution model. The solution offers great flexibility to model various domains; (2) we perform a large-scale real-world DNS trace measurement, and demonstrate that our solution significantly improves the estimation accuracy; (3) we apply our solution to estimate the malware-infected host population in remote management networks. The experimental results have demonstrated that our solution can achieve high estimation accuracy and outperforms the existing method.

Ting Wang,Xin Hu,Jiyong Jang,Shouling Ji,Marc Stoecklin,Teryl Taylor

DOI: https://doi.org/10.1109/icdcs.2016.77

2016-01-01

Abstract:Recent years have witnessed a rampant use of domain generation algorithms (DGAs) in major botnet crimewares, which tremendously strengthens a botnet's capability to evade detection or takedown. Despite a plethora of existing studies on detecting DGA-generated domains in DNS traffic, remediating such threats still relies on vetting the DNS behavior of each individual device. Yet, in large networks featuring complicated DNS infrastructures, we often lack the capability or the resource to exhaustively investigate every part of the networks to identify infected devices in a timely manner. It is therefore of great interest to first assess the population distribution of DGA-bots inside the networks and to prioritize the remediation efforts. In this paper, we present BotMeter, a novel tool that accurately charts the DGA-bot population landscapes in large networks. Specifically, we embrace the prevalent yet challenging setting of hierarchical DNS infrastructures with caching and forwarding mechanisms enabled, whereas DNS traffic is observable only at certain upper-level vantage points. We establish a new taxonomy of DGAs that captures their characteristic DNS dynamics. This allows us to develop a rich library of rigorous analytical models to describe the complex relationships between bot populations and DNS lookups observed at vantage points. We provide results from extensive empirical studies using both synthetic data and real DNS traces to validate the efficacy of BotMeter.

XIA Qin,WANG Zhiwen,LIU Lu

2012-01-01

Abstract:Botnet activities can't be tracked entirely with traditional methods because of the deficiency of information in local behavioral feature.A novel approach on tracking Botnet activity is presented based on co-occurrence relation of domain name system(DNS) queries.An algorithm is utilized to calculate the co-occurrence between undetermined DNS and known Botnet DNS so as to find some other Botnet DNS.Three improved measures are proposed in order to increase the accuracy of evaluating co-occurrence.The three measures are filtering DNS access by network address translation,differentiating individual spatial Botnet and observation time based statistic of co-occurrence.Experiments are carried out with test data of DNS queries collected in the campus network of Xi′an Jiaotong University.The results show that some advantages are acquired obviously with the improved measures,such as the number of undetermined DNS can fall to a quarter of traditional method,the co-occurrence acquired is more suitable for the top ten DNS and the accuracy is improved in finding zombies.

Jianfeng Li,Xiaobo Ma,Li Guodong,Xiapu Luo,Junjie Zhang,Wei Li,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom.2018.8486210

2018-01-01

Abstract:Domain Name System (DNS) is one of the pillars of today's Internet. Due to its appealing properties such as low data volume, wide-ranging applications and encryption free, DNS traffic has been extensively utilized for network monitoring. Most existing studies of DNS traffic, however, focus on domain name reputation. Little attention has been paid to understanding and profiling what people are doing from DNS traffic, a fundamental problem in the areas including Internet demographics and network behavior analysis. Consequently, simple questions like “How to determine whether a DNS query for www.google.com means searching or any other behaviors?” cannot be answered by existing studies. In this paper, we take the first step to identify user activities from raw DNS queries. We advance a multiscale hierarchical framework to tackle two practical challenges, i.e., behavior ambiguity and behavior polymorphism. Under this framework, a series of novel methods, such as pattern upward mapping and multi-scale random forest classifier, are proposed to characterize and identify user activities of interest. Evaluation using both synthetic and real-world DNS traces demonstrates the effectiveness of our method.

Jing Zhuge,Thorsten Holz,Xinhui Han,Jinpeng Guo,Wei Zou

2007-01-01

Abstract:Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term measurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area. Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command \& Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

Hongyu Gao,Vinod Yegneswaran,Jian Jiang,Yan Chen,Phillip Porras,Shalini Ghosh,Haixin Duan

DOI: https://doi.org/10.1109/tnet.2014.2358637

2016-01-01

IEEE/ACM Transactions on Networking

Abstract:The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i. e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Zhichun Li,Anup Goyal,Yan Chen,Vern Paxson

DOI: https://doi.org/10.1109/tifs.2010.2086445

IF: 7.231

2011-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Botnets dominate today's attack landscape. In this work, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes." In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer-using purely local observation-information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Zhitang Li,Jun Hu,Zhengbing Hu,Bingbing Wang,Liang Tang,Xin Yi

DOI: https://doi.org/10.4304/jnw.5.1.98-105

2010-01-01

Journal of Networks

Abstract:Botnets have become one of the most serious threats to the Internet. They are now the key platform for many Internet attacks, such as spa m, distributed denial-of-service(DDoS), and we call these attacks “the second character of bots”. I n this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam nodes traffic properties. M easurement of botnets is an important and challenging work. H owever, most existing approaches work only o n specific botnet command and control (c&c) protocols (e.g., IRC) and structures (e.g., centralized). I n this paper, we present two measurement frameworks (MFNL and MFAL) that based on the second character of bots to measure the size of the botnet. W e have easily implemented our prototype system and evaluated it using many real network traces , and we also compare these two app r oaches from several points.

Zhichun Li,Anup Goyal,Yan Chen,Vern Paxson

DOI: https://doi.org/10.1145/1533057.1533063

2009-01-01

Abstract:Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer---using purely local observation---information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Jianfeng Lit,Zheng Lin,Xiaobo Mat,Jianhao Lit,Jian Qut,Xiapu Lu,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom52122.2024.10621277

2024-01-01

Abstract:The domain name system (DNS) is indispensable to nearly every Internet service. It has been extensively utilized for network activity characterization in passive and active approaches. Compared to the passive approach, active DNS cache probing is privacy-preserving and low-cost, enabling worldwide characterization of remote network activities in different networks. Unfortunately, existing probing-based methods are too coarse-grained to characterize the time-varying features of network activities, substantially limiting their applications in time-sensitive tasks. In this paper, we advance DNSScope, a fine-grained DNS cache probing framework by tackling three challenges: sample sparsity, observational distortion, and cache entanglement. DNSScope synthesizes statistical learning and self-supervised transfer learning to achieve time-varying characterization. Extensive evaluations demonstrate that it can accurately estimate the time-varying DNS query arrival rates on recursive DNS resolvers. Its average mean absolute error is 0.124, as low as one-sixth that of the baseline methods.

Ahmed M. Manasrah,Awsan Hasan,Omar Amer Abouabdalla,Sureswaran Ramadass

DOI: https://doi.org/10.48550/arXiv.0911.0487

2009-11-03

Networking and Internet Architecture

Abstract:IThe botnet is considered as a critical issue of the Internet due to its fast growing mechanism and affect. Recently, Botnets have utilized the DNS and query DNS server just like any legitimate hosts. In this case, it is difficult to distinguish between the legitimate DNS traffic and illegitimate DNS traffic. It is important to build a suitable solution for botnet detection in the DNS traffic and consequently protect the network from the malicious Botnets activities. In this paper, a simple mechanism is proposed to monitors the DNS traffic and detects the abnormal DNS traffic issued by the botnet based on the fact that botnets appear as a group of hosts periodically. The proposed mechanism is also able to classify the DNS traffic requested by group of hosts (group behavior) and single hosts (individual behavior), consequently detect the abnormal domain name issued by the malicious Botnets. Finally, the experimental results proved that the proposed mechanism is robust and able to classify DNS traffic, and efficiently detects the botnet activity with average detection rate of 89 percent.

Jian Qu,Xiaobo Ma,Wenmao Liu

DOI: https://doi.org/10.1109/dsa52907.2021.00024

2021-01-01

Abstract:Domain Name System (DNS) is indispensable to the daily operation of all Internet services, computer programs, smartphones, etc. It has been commonly explored as a vantage point for network monitoring. However, a fundamental question that whether a DNS query originating from a querent is issued by humans or software entities remains not deeply investigated. Tackling such a question enables us to further passively discover software entities that the querent uses from DNS traffic. In this paper, we systematically perform querent-centric DNS modeling and explore its application in passive software discovery. Through in-depth measurement of real-world DNS traffic involving 4,398 querents, we develop an entropy-based method to distinguish between human and non-human domain names, and propose a community-based software discovery solution. The measurement and experiments show that our methods can well characterize the non-human and human DNS query behavior, and achieve passive software discovery.

Jianfeng Li,Xiaobo Ma,Jing Tao,Xiaohong Guan

DOI: https://doi.org/10.1109/ICC.2013.6654916

2013-01-01

Abstract:It is an important task in Internet demography and security monitoring to accurately measure the user population of an application in a network. In previous works, the Domain Name System (DNS) cache probing technique was proposed to estimate λ̅, the average DNS querying rate for a domain name associated with the given application. One can readily obtain the user population given another empirical parameter from DNS traces, i.e., average number of DNS queries per user. The previous estimator for λ̅ was based on the assumption that the DNS query arrivals can be described by a homogeneous Poisson process. In this paper, we verify this assumption by measuring real DNS traces and find that it is over-simplified. In fact, the DNS query arrivals exhibit non-stationary property dominated by a diurnal pattern in general, thereby making the previous estimator underestimate λ̅. Then, an asymptotically unbiased estimator is proposed using the Bayesian forecasting. The proposed estimator is more general as compared with the previous one because it can accurately estimate λ̅ when the DNS query arrivals can be described by either homogeneous or non-homogeneous Poisson processes. The proposed estimator meets the minimum mean squared error principle, and the experimental results show that it significantly outperforms the previous one. The DNS cache probing technique offers promising applications because it is low-cost, less invasive and privacy preserving. Our work greatly boosts the practicability of this technique.

Stefano Schiavoni,Federico Maggi,Lorenzo Cavallaro,Stefano Zanero

DOI: https://doi.org/10.48550/arXiv.1311.5612

2013-11-22

Abstract:Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Recent works focus on recognizing automatically generated domains (AGDs) from DNS traffic, which potentially allows to identify previously unknown AGDs to hinder or disrupt botnets' communication capabilities. The state-of-the-art approaches require to deploy low-level DNS sensors to access data whose collection poses practical and privacy issues, making their adoption problematic. We propose a mechanism that overcomes the above limitations by analyzing DNS traffic data through a combination of linguistic and IP-based features of suspicious domains. In this way, we are able to identify AGD names, characterize their DGAs and isolate logical groups of domains that represent the respective botnets. Moreover, our system enriches these groups with new, previously unknown AGD names, and produce novel knowledge about the evolving behavior of each tracked botnet. We used our system in real-world settings, to help researchers that requested intelligence on suspicious domains and were able to label them as belonging to the correct botnet automatically. Additionally, we ran an evaluation on 1,153,516 domains, including AGDs from both modern (e.g., Bamital) and traditional (e.g., Conficker, Torpig) botnets. Our approach correctly isolated families of AGDs that belonged to distinct DGAs, and set automatically generated from non-automatically generated domains apart in 94.8 percent of the cases.

Cryptography and Security

Hao Tu,Zhi-Tang Li,Bin Liu

DOI: https://doi.org/10.1007/978-3-540-71549-8_40

2007-01-01

Abstract:Botnet is a new trend in Internet attacks. Because the propagation of botnets will not cause large traffic like worm, it is often difficult to detect it. Till now, the most common method to detect botnets is to use honeynets. Although previous work has described an active detection technique using DNS hijacking technique[1], there are little information about how to detect the domain names which botnets used. Some researchers also use DNS based method to detect botnets[2,3], but all of them use simple signature or statistical method which require much prior knowledge.

Xingguo Li,Junfeng Wang,Xiaosong Zhang

DOI: https://doi.org/10.3390/fi9040055

2017-01-01

Future Internet

Abstract:With the help of botnets, intruders can implement a remote control on infected machines and perform various malicious actions. Domain Name System (DNS) is very famous for botnets to locate command and control (C and C) servers, which enormously strengthens a botnet's survivability to evade detection. This paper focuses on evasion and detection techniques of DNS-based botnets and gives a review of this field for a general summary of all these contributions. Some important topics, including technological background, evasion and detection, and alleviation of botnets, are discussed. We also point out the future research direction of detecting and mitigating DNS-based botnets. To the best of our knowledge, this topic gives a specialized and systematic study of the DNS-based botnet evading and detecting techniques in a new era and is useful for researchers in related fields.

Zhicheng Liu,Xiaochun Yun,Yongzheng Zhang,Yipeng Wang

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2019.00027

2019-01-01

Abstract:Botnet is a part of the most destructive threats to network security and is often used in malicious activities. DGA-based botnet, which uses Domain Generation Algorithm (DGA) to evade detection, has become the main channel to carry out online crimes. In the past, many detection mechanisms focusing on domain features are proposed, but the potential problem is that the features extracting only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel approach named CCGA to detect DGA-based botnet by leveraging the concerted group behaviors of infected hosts on DNS traffic. The analysis of group behaviors enhances the robustness of our system irrespective of various evasion techniques, such as fake-querying, packet encryption and noise generated by normal users. The proposed scheme associates hosts together in an unsupervised way and then uses supervised learning to distinguish whether it's a botnet. Our system is evaluated in a large ISP over two days and compared with the state of art FANCI. Experimental results show that CCGA can accurately and effectively detect DGA-based botnet in a real-world network. Our system also catches 5 unknown botnet groups and provides a novel method to verify them. Therefore, the system will provide an unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.

Jian Qu,Xiaobo Ma,Wenmao Liu

DOI: https://doi.org/10.1016/j.knosys.2023.110279

IF: 8.139

2023-01-01

Knowledge-Based Systems

Abstract:The Domain Name System (DNS) is indispensable for almost all Internet services. It has been extensively studied for applications such as anomaly detection. However, the fundamental question of whether a DNS query from a querent (i.e., an IP address) is triggered by humans or issued by software entities remains unclear. Addressing this question enables us to profile the querent’s behavior from a human-software perspective, facilitating the understanding of “who is DNS serving for?”. In this study, we systematically performed querent-centric DNS modeling. Through in-depth measurements of three real-world DNS datasets of diverse origins, we developed an entropy-based method to distinguish between human and non-human queries and proposed a semi-supervised solution towards a community-level view for detecting and estimating software entities in a network. The solution can not only detect unknown software entities but is also NAT-compatible because it can detect and estimate software entities of multiple hosts NATed behind a single querent. An extensive evaluation demonstrates that our approach provides a new functionality for automatically disclosing the distinction between human and non-human domain names as well as a priori-independent and NAT-compatible functionality of discovering nearly 50% of the software entities and estimating their population using DNS queries.

Yong Wang,Xiao-chun Yun,Yao,Gang Xiong,Zhen Li

DOI: https://doi.org/10.1109/cit.2012.37

2012-01-01

Abstract:Method of DNSSEC traffic measurement is introduced based on the identification of resource records in DNSSEC. Through the analysis of DNSSEC traffic in several levels which are resource record type, packet length, signature property, and IP features, characteristics of DNSSEC traffic can be concluded. Results show that above 78% of DNSSEC packets are NSEC3 packets, and this means there are too many useless DNSSEC queries, which would not be measured in DNS, but can be measured accurately in DNSSEC with the introduction of NSEC3. In addition to it, validation packets coming from root or top server are more than authority servers. From the analysis of DNSKEY responses, it can be referred the DNSSEC deploying ratio is 54% ignoring the cache of DNSSEC recursive server. The conclusions are helpful to the further deployment and application of DNSSEC.

LI Qing-shan,CHEN Zhong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2012.08.004

2012-01-01

Abstract:Aimed at the shortage of current detection methods of domain-flux botnet,a method based on the alive character of domain name is proposed.The description of domains alive character is given which are generated by domain-flux botnet,and an domain-flux botnet detection method based on the alive characteristics of domain names is proposed.The detection description,detection flow and system structure are introduced.An experiment using the mirror dns traffic from an service provider is designed to validate the effectiveness of this detection method.The result shows that the method proposed do not rely on specific alphanumeric characteristics of domain names,and could find domain names efficiently used by domain-flux botnet.