Bayesian bot detection based on DNS traffic similarity

Villamarín-Salomón, Ricardo; Brustoloni, José Carlos

doi:10.1145/1529282.1529734

Cited by 57 publications

(23 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…However these papers use the DNS traffic behavior and not the mapping information used by Notos and in our work. Villarmin et al [13] provide C&C detection technique motivated by the fact that bots typically initiate contact with C&C servers to poll for instructions. As an example, for each domain, they aggregate the number of non-existent domains (NXDOMAIN) responses per hour and use it as one of the classification features.…”

Section: Background and Related Workmentioning

confidence: 99%

A Topology Based Flow Model for Computing Domain Reputation

Mishsky

Gal-Oz

Gudes

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The Domain Name System (DNS) is an essential component of the internet infrastructure that translates domain names into IP addresses. Recent incidents verify the enormous damage of malicious activities utilizing DNS such as bots that use DNS to locate their command & control servers. Detecting malicious domains using the DNS network is therefore a key challenge. We project the famous expression Tell me who your friends are and I will tell you who you are, motivating many social trust models, on the internet domains world. A domain that is related to malicious domains is more likely to be malicious as well. In this paper, our goal is to assign reputation values to domains and IPs indicating the extent to which we consider them malicious. We start with a list of domains known to be malicious or benign and assign them reputation scores accordingly. We then construct a DNS based graph in which nodes represent domains and IPs. Our new approach for computing domain reputation applies a flow algorithm on the DNS graph to obtain the reputation of domains and identify potentially malicious ones. The experimental evaluation of the flow algorithm demonstrates its success in predicting malicious domains.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

A Topology Based Flow Model for Computing Domain Reputation

Mishsky

Gal-Oz

Gudes

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In traditional, non-DTN, networks, Kolbitsch et al [8] and Bayer et al [9] proposed to detect malware with learned behavioral model, in terms of system call and program flow. We extend the Naive Bayesian model, which has been applied in filtering email spams [13], [14], [15], detecting botnets [16], and designing IDSs [10], [17], and address DTN-specific, malware-related, problems. In the context of detecting slowly propagating Internet worm, Dash et al presented a distributed IDS architecture of local/global detector that resembles the neighborhood-watch model, with the assumption of attested/honest evidence, i.e., without liars [10].…”

Section: Related Workmentioning

confidence: 99%

“…In this paper, we present a simple, yet effective solution, look ahead, which naturally reflects individual nodes' intrinsic risk inclinations against malware infection, to balance between these two extremes. Essentially, we extend the naive Bayesian model, which has been applied in filtering email spams [13], [14], [15], detecting botnets [16], and designing IDSs [10], [17], and address two DTNspecific, malware-related, problems:…”

Section: Introductionmentioning

confidence: 99%

Behavioral Malware Detection in Delay Tolerant Networks

Peng

Zou

et al. 2014

IEEE Trans. Parallel Distrib. Syst.

View full text Add to dashboard Cite

Abstract-The delay-tolerant-network (DTN) model is becoming a viable communication alternative to the traditional infrastructural model for modern mobile consumer electronics equipped with short-range communication technologies such as Bluetooth, NFC, and Wi-Fi Direct. Proximity malware is a class of malware that exploits the opportunistic contacts and distributed nature of DTNs for propagation. Behavioral characterization of malware is an effective alternative to pattern matching in detecting malware, especially when dealing with polymorphic or obfuscated malware. In this paper, we first propose a general behavioral characterization of proximity malware which based on naive Bayesian model, which has been successfully applied in non-DTN settings such as filtering email spams and detecting botnets. We identify two unique challenges for extending Bayesian malware detection to DTNs ("insufficient evidence versus evidence collection risk" and "filtering false evidence sequentially and distributedly"), and propose a simple yet effective method, look ahead, to address the challenges. Furthermore, we propose two extensions to look ahead, dogmatic filtering, and adaptive look ahead, to address the challenge of "malicious nodes sharing false evidence." Real mobile network traces are used to verify the effectiveness of the proposed methods.

show abstract

“…The investigations, devoted to botnet counteraction methods, may be conditionally divided into two logical groups: methods, which are based on identification of predefined signatures [28], and methods which rely on detection of local and network anomalies [3,10,18,32]. The second group of methods has a significant advantage against first group in ability to detect unknown threats not having specific knowledge of their implementation [15].…”

Section: Related Workmentioning

confidence: 99%