Cylindrical Coordinates Security Visualization for multiple domain command and control botnet detection

Seo, Ilju; Lee, Heejo; Han, Seung Chul

doi:10.1016/j.cose.2014.07.007

Cited by 8 publications

(4 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, as seen in the literature, another technique seeks to analyse network traffic for traffic/packets that exhibit behaviours that deviate from the normal, observable network behaviour (an anomaly), such as those proposed by Wang et al [76], Boukhtouta et al [77], Zhao et al [78] and Caglayan et al [79]. Anomalous behaviours could also be analysed in relation to hypertext transfer protocol (HTTP) traffic, such as noted by Jiaet al [80], Mathew et al [81], Choi et al [82] and Eslahi et al [83]; domain name service (DNS) query patterns and properties, such as by Seo et al [84] and Futai et al [85]; and transmission control protocol (TCP) requests, such as that looked into by Abdullah et al [86]. Some other techniques discovered in the literature involve the graphical analysis and interpretation of the associations and interactions of bots, in a bid to forecast their potentials, understand the structure of their C&C, amongst others, as proposed by Wang and Paschalidis (2014) [87]; or the analysis of search engine log files, as proposed by Zhang et al [88].…”

Section: Analysis-basedmentioning

confidence: 99%

A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far

et al. 2019

View full text Add to dashboard Cite

Botnets have carved a niche in contemporary networking and cybersecurity due to the impact of their operations. The botnet threat continues to evolve and adapt to countermeasures as the security landscape continues to shift. As research efforts attempt to seek a deeper and robust understanding of the nature of the threat for more effective solutions, it becomes necessary to again traverse the threat landscape, and consolidate what is known so far about botnets, that future research directions could be more easily visualised. This research uses the general exploratory approach of the qualitative methodology to survey the current botnet threat landscape: Covering the typology of botnets and their owners, the structure and lifecycle of botnets, botnet attack modes and control architectures, existing countermeasure solutions and limitations, as well as the prospects of a botnet threat. The product is a consolidation of knowledge pertaining the nature of the botnet threat; which also informs future research directions into aspects of the threat landscape where work still needs to be done.

show abstract

Section: Analysis-basedmentioning

confidence: 99%

A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far

et al. 2019

View full text Add to dashboard Cite

show abstract

“…Additionally, the work by Seo et al in [8] and by Alonso et al [9] present novel approaches to detect attacks to the DNS service. The former proposes a visualisation tool that is capable of detecting botnet behaviour based on DNS requests.…”

Section: Related Workmentioning

confidence: 99%

“…Detecting and preventing DDoS attacks is an ongoing research topic. A current approach for DDoS attacks detection is by means of visualisation techniques [7], [8]; however, the main drawback is that visualisation could be overwhelming for administrators. However, machine learning techniques could complement visualisations providing further information and alerts that could ease the visual inspections whenever an undergoing attack is in place.…”

Section: Introductionmentioning

confidence: 99%

“…3) We proposed a novel visual model to graphically interpret the state of the DNS traffic and to point out any anomalies using visual semaphores. A very interesting approach is proposed in [8] but with a different aim, which is the detection of botnet behaviour. Their model maps DNS requests to a cylindrical coordinate system in order to visualise behavioural patterns that correspond to bot activity.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DNS-ADVP: A Machine Learning Anomaly Detection and Visual Platform to Protect Top-Level Domain Name Servers Against DDoS Attacks

et al. 2019

View full text Add to dashboard Cite

DNS DDoS attacks may severely affect the operation of computer networks, prompting the need for methods able to timely detect them, and then to apply mitigation countermeasures. Visual models have been used to detect an ongoing DDoS attack, but often demand continuous attention from IT staff. However, machine learning techniques could complement a visual model with further information and with on-time alerts that could help IT officers give attention only when an attack is in progress at its very early stage. In this paper, we present DNS-ADVP, a DNS Anomaly Detection Visual Platform, which, in an integrated manner, provides a novel visualisation that depicts on-line DNS traffic, and a one-class classifier that deals with traffic anomaly detection. Using the visual mode, an IT officer may interpret the current state of traffic for an authoritative DNS server; the model comes with visual semaphores, controlled by the one-class classifier. Due to the highly dynamic nature of DNS traffic, our classification method continuously updates what counts as normal behaviour; it has been successfully tested on synthetic attacks, with an 83% of the area under the curve (AUC). DNS-ADVP is currently in use to real-time monitoring an actual authoritative DNS server.

show abstract