Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Dinh-Tu Truong,Guang Cheng

DOI: https://doi.org/10.1002/sec.1495

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Modern botnets such as Zeus and Conficker commonly utilize a technique called domain fluxing or a domain generation algorithm to generate a large number of pseudo-random domain names (PDNs) dynamically for botnet operators to control their bots. These botnets are becoming one of the most serious threats to Internet security on a global scale. How to prevent their destructive action is one of the most pressing issues of today. In this paper, we focus on detecting domain-flux botnets within the monitored network based on Domain Name System (DNS) traffic features. This method passively captures all DNS traffic from the gateway of a monitored network and then extracts key features to identify PDN. Based on examining and analyzing a large number of legitimate domains as well as PDN generated by botnets, we have discovered that there is a discernible bias in the rules for constructing domain names. Therefore, we introduce a methodology that analyzes DNS traffic to extract the length and the expected value, which can distinguish between a domain name generated by humans or bots. In order to evaluate the effectiveness of the proposed approach, various machine learning algorithms are applied to train predictive models for our detection system. This proposed scheme is implemented and tested in a real local area network. The experimental results show that our proposed method achieves the highest detective efficiency for decision tree algorithms (J48) with an average overall accuracy of up to 92.3% and a false positive rate of 4.8%. Copyright (c) 2016 John Wiley & Sons, Ltd.

Truong Dinh Tu,Cheng Guang,Liang Yi Xin

DOI: https://doi.org/10.1109/ComManTel.2015.7394256

2015-01-01

Abstract:Modern botnets such as Zeus and Conficker commonly utilize a technique called domain fluxing or a Domain Generation Algorithm (DGA) to generate a large number of pseudo-random domain names dynamically for botnet operators to control their bots. These botnets are becoming one of the most serious threats to the Internet security on a global scale. In this paper, we present a method based on analyzing the similar periodic time intervals series of DNS queries to identify DGA-bot infected machines. This method passively captures all DNS traffic from the gateway of monitor network. Firstly, we group queries of the same domain name that is requested by hosts, and then extracts time interval series between adjacent queries. Secondly, we measure the similar periodicity of DNS queries by calculating the squared Euclidean distance between each pair of their time interval series. Finally, we apply a hierarchical clustering algorithm to cluster high similar domain names. The experiment results show that the domain names are generated by the same botnet or DGA would be grouped into the same cluster, thus all of the hosts that query to these clusters are marked as compromised hosts running a domain-flux botnet within monitor network.

Shaofang Zhou,Lanfen Lin,Junkun Yuan,Feng Wang,Zhaoting Ling,Jia Cui

DOI: https://doi.org/10.1109/isi.2019.8823200

2019-01-01

Abstract:Attackers often use domain generation algorithms (DGAs) to create various kinds of pseudorandom domains dynamically and select a part of them to connect with command and control servers, therefore it is important to automatically detect the algorithmically generated domains (AGDs). AGDs can be broken down into two categories: character-based domains and wordlist-based domains. Recently, methods based on machine learning and deep learning have been widely explored. However, much of the previous work perform well in detecting one kind of DGA families but poorly in classifying another kind. A general detection system which is applicable to both kinds of domains still remains a challenge. To address this problem, we propose a novel real-time detection method with high accuracy as well as high coverage. We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.

yongzheng zhang,jun xiao

DOI: https://doi.org/10.1007/978-3-662-43908-1_17

2014-01-01

Abstract:To achieve the goals of concealment and migration, some Bot Nets, such as Conficker, Srizbis and Torpig, use Domain Generation Algorithm (DGA) to produce a large number of random domain names dynamically. Then a small subset of these domain names would be selected for actual C&C. Compared with normal domain names, these domain names generated by DGA have significant difference in length, character frequency, etc. Current researches mainly use clustering-classification methods to Detect abnormal domain name. Some of them use NXDomain traffic clustering, other researches based on the classification of string features, such as the distribution of alphanumeric characters and bigram. In fact, domain name has strict hierarchy and each domain level has particular regularities. In this paper, the hierarchical characteristic is introduced into the detection process. We divide the domain name into distinct levels and calculate the characteristic value separately. In each level, we use entropy, bigram and length detections. Because of different efficiency in levels, we design the weigh for each level based on their efficiency. Finally, the level characteristic value of domain name is the weighted average value of levels. Our experiments show that the accuracy of the level-based method is higher than 94 %.

Futai Zou,Linsen Li,Yue Wu,Jianhua Li,Siyu Zhang,Kaida Jiang

DOI: https://doi.org/10.1142/S0218194018400016

IF: 1.007

2018-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Domain-Flux malware is hard to detect because of the variable C&C (Command and Control) domains which were randomly generated by the technique of domain generation algorithm (DGA). In this paper, we propose a Domain-Flux malware detection approach based on DNS failure traffic. The approach fully leverages the behavior of DNS failure traffic to recognize nine features, and then mines the DGA-generated domains by a clustering algorithm and determinable rules. Theoretical analysis and experimental results verify its efficiency with both test dataset and real-world dataset. On the test dataset, our approach can achieve a true positive rate of 99.82% at false positive rate of 0.39%. On the real-world dataset, the approach can also achieve a relatively high precision of 98.3% and find out 197,026 DGA domains by analyzing DNS traffic in campus network for seven days. We found 1213 hosts of Domain-Flux malware existing on campus network, including the known Conficker, Fosniw and several new Domain-Flux malwares that have never been reported before. We classified 197,026 DGA domains and gave the representative generated patterns for a better understanding of the Domain-Flux mechanism.

Yang Pu,Xiaojun Chen,Yiguo Pu,JinQiao Shi

DOI: https://doi.org/10.1007/978-3-662-48683-2_24

2015-01-01

Abstract:Domain fluxing is a general method for botnet operators to control the victims and escape detection. Botnets based on domain fluxing, such as Conficker, Torpig, Kraken, generate a unique list of domain names based on a predefined domain generation algorithm (DGA). If the algorithm is known in advance, it is easy to identify and block botnet traffic. Unfortunately, exploiting details about the algorithm requires reverse-engineering technology and that is not always feasible. In this paper, we propose a methodology to detect auto-generated domains by measuring the disparity between auto-generated domains and normal domains. The idea is based on the observation that the normal domain names differ from auto-generated domain names in readability, randomness etc., because botnet don't use well-formed words which is highly likely registered. Clustering algorithm is used to group auto-generated domains into several separated clusters and normal domains into other clusters. As shown in the validation and experiment phase, we prove this method can detect DGA domains with high performance.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Xiaodong Zang,Jianbo Cao,Xinchang Zhang,Jian Gong,Guiqing Li

DOI: https://doi.org/10.1007/s11235-023-01073-7

2024-01-01

Telecommunication Systems

Abstract:Botnets are one of the major threats to network security nowadays. To carry out malicious actions remotely, they heavily rely on Command and Control channels. DGA-based botnets use a domain generation algorithm to generate a significant number of domain names. By analyzing the linguistic distinctions between legitimate and DGA-based domain names, traditional machine learning schemes obtain great benefits. However, it is difficult to identify the ones based on wordlists or pseudo-random generated. Accordingly, this paper proposes an efficient CNN-LSTM-based detection model (BotDetector) that uses only a set of simple-to-compute, easy-to-compute character features. We evaluate our model with two open-source benchmark datasets (360 netlab, Bambenek) and real DNS traffic from the China Education and Research Network. Experimental results demonstrate that our algorithm improves by 1.6 % in terms of accuracy and F1-score and reduces the computation time by 9.4 % compared to other state-of-the-art alternatives. Remarkably, our work can identify botnet’s covert communication channels that use domain names based on word lists or pseudo-random generation without any help of reverse engineering.

Xiao-Dong Zang,Jian Gong,Shao-Huang Mo,Ahmad Jakalan,De-Lin Ding

DOI: https://doi.org/10.1109/access.2018.2880884

IF: 3.9

2018-01-01

IEEE Access

Abstract:Modern botnets rely on a new DNS technique called fast-flux to organize compromised hosts into fast-flux service networks (FFSNs), which helps bot herds to hide their upstream servers. Given the prevalence of this mechanism, various approaches have been proposed to detect them by analyzing DNS traffic. However, these detection mechanisms either have low detection accuracy or long detection latency. Moreover, they cannot capture the behavioral regularity and other novel traits of the evolving behavior of each botnet which is being tracked. This paper proposes a new FFSNs detection scheme to solve the above-mentioned limitations. The proposed approach can recognize groups of domains generated by a domain generation algorithms or its variants that are representative of different botnets. In addition to that, it can also identify whether the algorithmically generated domain names in a cluster are using fast-flux technology or not by applying a double-stages detection mechanism. The proposed work is implemented in a real network (China Education and Research Network), and the DNS traffic is collected from backbone routers. Experimental results demonstrate that our algorithm has significantly increased the detection accuracy compared with similar works and reduced the computational complexity.

Zhicheng Liu,Xiaochun Yun,Yongzheng Zhang,Yipeng Wang

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2019.00027

2019-01-01

Abstract:Botnet is a part of the most destructive threats to network security and is often used in malicious activities. DGA-based botnet, which uses Domain Generation Algorithm (DGA) to evade detection, has become the main channel to carry out online crimes. In the past, many detection mechanisms focusing on domain features are proposed, but the potential problem is that the features extracting only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel approach named CCGA to detect DGA-based botnet by leveraging the concerted group behaviors of infected hosts on DNS traffic. The analysis of group behaviors enhances the robustness of our system irrespective of various evasion techniques, such as fake-querying, packet encryption and noise generated by normal users. The proposed scheme associates hosts together in an unsupervised way and then uses supervised learning to distinguish whether it's a botnet. Our system is evaluated in a large ISP over two days and compared with the state of art FANCI. Experimental results show that CCGA can accurately and effectively detect DGA-based botnet in a real-world network. Our system also catches 5 unknown botnet groups and provides a novel method to verify them. Therefore, the system will provide an unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.

Ting Wang,Xin Hu,Jiyong Jang,Shouling Ji,Marc Stoecklin,Teryl Taylor

DOI: https://doi.org/10.1109/icdcs.2016.77

2016-01-01

Abstract:Recent years have witnessed a rampant use of domain generation algorithms (DGAs) in major botnet crimewares, which tremendously strengthens a botnet's capability to evade detection or takedown. Despite a plethora of existing studies on detecting DGA-generated domains in DNS traffic, remediating such threats still relies on vetting the DNS behavior of each individual device. Yet, in large networks featuring complicated DNS infrastructures, we often lack the capability or the resource to exhaustively investigate every part of the networks to identify infected devices in a timely manner. It is therefore of great interest to first assess the population distribution of DGA-bots inside the networks and to prioritize the remediation efforts. In this paper, we present BotMeter, a novel tool that accurately charts the DGA-bot population landscapes in large networks. Specifically, we embrace the prevalent yet challenging setting of hierarchical DNS infrastructures with caching and forwarding mechanisms enabled, whereas DNS traffic is observable only at certain upper-level vantage points. We establish a new taxonomy of DGAs that captures their characteristic DNS dynamics. This allows us to develop a rich library of rigorous analytical models to describe the complex relationships between bot populations and DNS lookups observed at vantage points. We provide results from extensive empirical studies using both synthetic data and real DNS traces to validate the efficacy of BotMeter.

Amr M. H. Saeed,Danghui Wang,Hamas A. M. Alnedhari,Kuizhi Mei,Jihe Wang

DOI: https://doi.org/10.1007/978-3-030-97774-0_12

2022-01-01

Abstract:Botnets are the most commonly used mechanisms for current cyberattacks such as DDoS, ransomware, email spamming, phishing data, etc. Botnets deploy the Domain Generation Algorithm (DGA) to conceal domain names of Command & Control (C&C) servers by generating several fake domain names. A sophisticated DGA can circumvent the traditional detection methods and successfully communicate with the C&C. Several detection methods like DNS sinkhole, DNS filtering and DNS logs analysis have been intensively studied to neutralize DGA. However, these methods have a high noise rate and require a massive amount of computational resources. To tackle this issue, several researchers leveraged Machine learning (ML) and Deep Learning (DL) algorithms to develop lightweight and cost-effective detection methods. The purpose of this paper is to investigate and evaluate the DGA detection methods based on ML/DL published in the last three years. After analyzing the relevant literature strengths and limitations, we conclude that low detection speed, encrypted DNS sensitivity, data imbalance sensitivity, and low detection accuracy with variant or unknown DGA are most likely the current research trends and opportunities. As far as we know, this survey is the first of its kind to discuss DGA detection techniques based on ML/DL in-depth, as well as analysis of their limitations and future trends.

Hao Tu,Zhi-Tang Li,Bin Liu

DOI: https://doi.org/10.1007/978-3-540-71549-8_40

2007-01-01

Abstract:Botnet is a new trend in Internet attacks. Because the propagation of botnets will not cause large traffic like worm, it is often difficult to detect it. Till now, the most common method to detect botnets is to use honeynets. Although previous work has described an active detection technique using DNS hijacking technique[1], there are little information about how to detect the domain names which botnets used. Some researchers also use DNS based method to detect botnets[2,3], but all of them use simple signature or statistical method which require much prior knowledge.

Ahmed M. Manasrah,Awsan Hasan,Omar Amer Abouabdalla,Sureswaran Ramadass

DOI: https://doi.org/10.48550/arXiv.0911.0487

2009-11-03

Networking and Internet Architecture

Abstract:IThe botnet is considered as a critical issue of the Internet due to its fast growing mechanism and affect. Recently, Botnets have utilized the DNS and query DNS server just like any legitimate hosts. In this case, it is difficult to distinguish between the legitimate DNS traffic and illegitimate DNS traffic. It is important to build a suitable solution for botnet detection in the DNS traffic and consequently protect the network from the malicious Botnets activities. In this paper, a simple mechanism is proposed to monitors the DNS traffic and detects the abnormal DNS traffic issued by the botnet based on the fact that botnets appear as a group of hosts periodically. The proposed mechanism is also able to classify the DNS traffic requested by group of hosts (group behavior) and single hosts (individual behavior), consequently detect the abnormal domain name issued by the malicious Botnets. Finally, the experimental results proved that the proposed mechanism is robust and able to classify DNS traffic, and efficiently detects the botnet activity with average detection rate of 89 percent.

zhang yongbin,lu yin,zhang yanning

DOI: https://doi.org/10.7652/xjtuxb201308010

2013-01-01

Abstract:The technique of domain flux has been used by many botnets to avoid being blocked by domain blacklists.A new technique is proposed to detect botnets by analyzing the patterns inherent to domains that comprise alphanumeric characters and query behavior of hosts.The method analyzes failed domain queries through support vector machine(SVM) to identify suspicious compromised hosts.Clustering analyses are then performed to generate new successful domains and the groups of hosts that query these domains,and to examine if these host groups are composed of compromised hosts.Then,the command and control(C&C) domains and related IP addresses used by botnets are detected.Experimental results show that the accuracy of SVM prediction reaches more than 98.5% after training,and that the system can accurately detect compromised hosts and IP of C&C servers when DNS traffic from the ISP is monitored.

Yu Chen,Sheng Yan,Tianyu Pang,Rui Chen

DOI: https://doi.org/10.1109/SSIC.2018.8556788

2018-01-01

Abstract:Domain Generation Algorithm (DGA) technique has been widely used by botnets as a covert command and control (C &C) channel of issuing control or attack commands through various DGA domains. This method can evade blacklisting detection and bring new challenges to the current detection method. This paper extracts feature set which is helpful to differentiate between malicious DGA domains and benign domains, and uses the Support Vector Machine (SVM) algorithm to train the detection model. Experimental results demonstrate that the detection method proposed in this paper is powerful with a high true positive rate 95% and a low false positive rate 1%.

Manmeet Singh,Maninder Singh,Sanmeet Kaur

DOI: https://doi.org/10.1007/s11416-023-00462-5

2023-01-25

Journal of Computer Virology and Hacking Techniques

Abstract:Data security and privacy concerns on the Internet are continuously rising considering security breaches. These security breaches are often due to the presence of host(s) infected with malware called bots. As a result, bot-infection detection in enterprise networks is getting a greater research focus. From the perspective of law enforcement, the focus is to detect and destroy the botnet infrastructure which comprises mostly of Command and Control server along with the technique used for communication. From an enterprise perspective, it is important to detect and quarantine bot-infected machines thereby preventing the chance of any security breach. While many efforts have been made to detect malicious domains, limited research is done to detect infected machines in an enterprise network. This paper presents a deep learning-based technique for detecting bot-infected machines in a network applied to the hourly hosts' Domain Name System (DNS) fingerprint. Multi feature anomaly detection technique was implemented to detect bots in the campus network thereby minimizing the number of false positives. The results indicate a significant improvement over previous work. Finally, a GUI tool named DeepDAD is presented to facilitate investigating and detecting bots in a network traffic using DNS traffic analysis.

Xingguo Li,Junfeng Wang,Xiaosong Zhang

DOI: https://doi.org/10.3390/fi9040055

2017-01-01

Future Internet

Abstract:With the help of botnets, intruders can implement a remote control on infected machines and perform various malicious actions. Domain Name System (DNS) is very famous for botnets to locate command and control (C and C) servers, which enormously strengthens a botnet's survivability to evade detection. This paper focuses on evasion and detection techniques of DNS-based botnets and gives a review of this field for a general summary of all these contributions. Some important topics, including technological background, evasion and detection, and alleviation of botnets, are discussed. We also point out the future research direction of detecting and mitigating DNS-based botnets. To the best of our knowledge, this topic gives a specialized and systematic study of the DNS-based botnet evading and detecting techniques in a new era and is useful for researchers in related fields.

Stefano Schiavoni,Federico Maggi,Lorenzo Cavallaro,Stefano Zanero

DOI: https://doi.org/10.48550/arXiv.1311.5612

2013-11-22

Abstract:Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Recent works focus on recognizing automatically generated domains (AGDs) from DNS traffic, which potentially allows to identify previously unknown AGDs to hinder or disrupt botnets' communication capabilities. The state-of-the-art approaches require to deploy low-level DNS sensors to access data whose collection poses practical and privacy issues, making their adoption problematic. We propose a mechanism that overcomes the above limitations by analyzing DNS traffic data through a combination of linguistic and IP-based features of suspicious domains. In this way, we are able to identify AGD names, characterize their DGAs and isolate logical groups of domains that represent the respective botnets. Moreover, our system enriches these groups with new, previously unknown AGD names, and produce novel knowledge about the evolving behavior of each tracked botnet. We used our system in real-world settings, to help researchers that requested intelligence on suspicious domains and were able to label them as belonging to the correct botnet automatically. Additionally, we ran an evaluation on 1,153,516 domains, including AGDs from both modern (e.g., Bamital) and traditional (e.g., Conficker, Torpig) botnets. Our approach correctly isolated families of AGDs that belonged to distinct DGAs, and set automatically generated from non-automatically generated domains apart in 94.8 percent of the cases.

Cryptography and Security