Detecting bot-infected machines based on analyzing the similar periodic DNS queries

Tu, Truong Dinh; Cheng, Guang; Xin, Liang Yi

doi:10.1109/commantel.2015.7394256

Cited by 11 publications

(4 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…ey leveraged the deterministic nature of such algorithms and trained a deep neural network composed of LSTM, CNN and ANN in order to identify whether a paritcular host was making DNS calls for domains that were DGA generated. In a similar study Tu et al [15] leveraged the similarity of DNS queries in order to identify bot-infected machines.…”

Section: Bots and Botnetsmentioning

confidence: 99%

Transfer Learning Auto-Encoder Neural Networks for Anomaly Detection of DDoS Generating IoT Devices

Anwar

Shaheen

Gani

2022

Security and Communication Networks

View full text Add to dashboard Cite

Machine Learning based anomaly detection ap- proaches have long training and validation cycles. With IoT devices rapidly proliferating, training anomaly models on a per device basis is impractical. This work explores the “transfer- ability” of a pre-trained autoencoder model across devices of similar and different nature. We hypothesized that devices of similar nature would have similar high level feature character- istics represented by the initial layers of the autoencoder, while the more distinct features are captured by the innermost layer of the neural network. In our experiments, the centre-most layers of autoencoder models were re-trained with limited new data belonging to a different device. Datasets of seven Mirai infected and nine Bashlite infected IoT devices were used; each dataset also included benign records representing un-infected behaviour. We observed that the model’s detection accuracy improved by an average of 9.52% for Mirai and 44.59% for Bashlite. The highest performance improvement of 26.68% and 73.00% was observed when the anomaly model of Ecobee thermostat was tested on other devices before and after transfer learning for Mirai and Bashlite respectively. Additionally, transfer learning took 47.31% and 58.27% less time for Mirai and Bashlite respectively. We further trialed the efficacy of the autoencoder based anomaly model on flow based records of network traffic using the CIC- IDS2017 dataset. It was observed that the model performed best when distinct outliers in the dataset were present, whereas the model failed to perform decently in cases where the malicious activity did not cause significant deviation in network traffic’s footprint.

show abstract

Section: Bots and Botnetsmentioning

confidence: 99%

Transfer Learning Auto-Encoder Neural Networks for Anomaly Detection of DDoS Generating IoT Devices

Anwar

Shaheen

Gani

2022

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Machine learning (ML) methods, using static [27] and dynamic [28] investigation to classify malicious contend [29], to achieve network traffic arrangement [30], to analyze malware traffic [31] and to identify botnets [32], has been done in the past. In contrast, numerous writers suggest different classifications methods or discovery procedures, presenting alternative classes of botnet detection [33,34]. Generally, the traffic analysis with machine learning-based methods has proved effective in the investigation of some of the biggest and most harmful cyber-attacks over the past decade [35][36][37].…”

Section: Related Workmentioning

confidence: 99%

The Next Generation Cognitive Security Operations Center: Network Flow Forensics Using Cybersecurity Intelligence

Demertzis

Kikiras

Tziritas

et al. 2018

BDCC

View full text Add to dashboard Cite

A Security Operations Center (SOC) can be defined as an organized and highly skilled team that uses advanced computer forensics tools to prevent, detect and respond to cybersecurity incidents of an organization. The fundamental aspects of an effective SOC is related to the ability to examine and analyze the vast number of data flows and to correlate several other types of events from a cybersecurity perception. The supervision and categorization of network flow is an essential process not only for the scheduling, management, and regulation of the network's services, but also for attacks identification and for the consequent forensics' investigations. A serious potential disadvantage of the traditional software solutions used today for computer network monitoring, and specifically for the instances of effective categorization of the encrypted or obfuscated network flow, which enforces the rebuilding of messages packets in sophisticated underlying protocols, is the requirements of computational resources. In addition, an additional significant inability of these software packages is they create high false positive rates because they are deprived of accurate predicting mechanisms. For all the reasons above, in most cases, the traditional software fails completely to recognize unidentified vulnerabilities and zero-day exploitations. This paper proposes a novel intelligence driven Network Flow Forensics Framework (NF3) which uses low utilization of computing power and resources, for the Next Generation Cognitive Computing SOC (NGC2SOC) that rely solely on advanced fully automated intelligence methods. It is an effective and accurate Ensemble Machine Learning forensics tool to Network Traffic Analysis, Demystification of Malware Traffic and Encrypted Traffic Identification.

show abstract

“…A method presented based on analyzing the similar periodic time intervals series of DNS queries to identify DGA-bot-infected machines [11]. To measure the similar periodicity of DNS queries, the squared Euclidean distance between each pair of their time interval series is calculated.…”

Section: Introductionmentioning

confidence: 99%

A Novel Approach for Detecting DGA-Based Botnets in DNS Queries Using Machine Learning Techniques

Soleymani

Arabgol

2021

Journal of Computer Networks and Communications

View full text Add to dashboard Cite

In today’s security landscape, advanced threats are becoming increasingly difficult to detect as the pattern of attacks expands. Classical approaches that rely heavily on static matching, such as blacklisting or regular expression patterns, may be limited in flexibility or uncertainty in detecting malicious data in system data. This is where machine learning techniques can show their value and provide new insights and higher detection rates. The behavior of botnets that use domain-flux techniques to hide command and control channels was investigated in this research. The machine learning algorithm and text mining used to analyze the network DNS protocol and identify botnets were also described. For this purpose, extracted and labeled domain name datasets containing healthy and infected DGA botnet data were used. Data preprocessing techniques based on a text-mining approach were applied to explore domain name strings with n-gram analysis and PCA. Its performance is improved by extracting statistical features by principal component analysis. The performance of the proposed model has been evaluated using different classifiers of machine learning algorithms such as decision tree, support vector machine, random forest, and logistic regression. Experimental results show that the random forest algorithm can be used effectively in botnet detection and has the best botnet detection accuracy.

show abstract

Detecting bot-infected machines based on analyzing the similar periodic DNS queries

Cited by 11 publications

References 17 publications

Transfer Learning Auto-Encoder Neural Networks for Anomaly Detection of DDoS Generating IoT Devices

Transfer Learning Auto-Encoder Neural Networks for Anomaly Detection of DDoS Generating IoT Devices

The Next Generation Cognitive Security Operations Center: Network Flow Forensics Using Cybersecurity Intelligence

A Novel Approach for Detecting DGA-Based Botnets in DNS Queries Using Machine Learning Techniques

Contact Info

Product

Resources

About