Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic

Villamarín-Salomón, Ricardo; Brustoloni, José Carlos

doi:10.1109/ccnc08.2007.112

Cited by 96 publications

(46 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fast-flux techniques are mainly orthogonal to the actual launching of (DNS) tunnels and communication through them. The approach by Villamarin-Salomon and Brustoloni focuses on abnormally high or temporally concentrated query rates of dynamic DNS queries [26]. This does not suffice, however, since such patterns also occur for legitimate purposes.…”

Section: Dns Anomaly Detectionmentioning

confidence: 99%

DNS Tunneling for Network Penetration

Raman

Sutter

Coppens

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Most networks are connected to the Internet through firewalls to block attacks from the outside and to limit communication initiated from the inside. Because of the limited, supposedly safe functionality of the Domain Name System protocol, its traffic is by and large neglected by firewalls. The resulting possibility for setting up information channels through DNS tunnels is already known, but all existing implementations require help from insiders to set up the tunnels. This paper presents a new Metasploit module for integrated penetration testing of DNS tunnels and uses that module to evaluate the potential of DNS tunnels as communication channels set up through standard, existing exploits and supporting many different command-and-control malware modules.

show abstract

Section: Dns Anomaly Detectionmentioning

confidence: 99%

DNS Tunneling for Network Penetration

Raman

Sutter

Coppens

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Botnet DNS traffic exhibits some unique properties like sudden and abnormal increase in DNS request rates mainly due to group activities of bots within a botnet, use of Dynamic DNS (DDNS) and in many cases use of fast-flux service network (FFSN) that results in rapidly changing DNS entries [12] [13]. Moreover, most botnets today uses DNS to find C&C server.…”

Section: Related Workmentioning

confidence: 99%

An Efficient Machine Learning Based Classification Scheme for Detecting Distributed Command & Control Traffic of P2P Botnets

Barthakur¹,

Dahal²,

Ghose³

2013

IJMECS

View full text Add to dashboard Cite

Abstract-Biggest internet security threat is the rise of Botnets having modular and flexible structures. The combined power of thousands of remotely controlled computers increases the speed and severity of attacks. In this paper, we provide a comparative analysis of machine-learning based classification of botnet command & control(C&C) traffic for proactive detection of Peer-toPeer (P2P) botnets. We combine some of selected botnet C&C traffic flow features with that of carefully selected botnet behavioral characteristic features for better classification using machine learning algorithms. Our simulation results show that our method is very effective having very good test accuracy and very little training time. We compare the performances of Decision Tree (C4.5), Bayesian Network and Linear Support Vector Machines using performance metrics like accuracy, sensitivity, positive predictive value(PPV) and F-Measure. We also provide a comparative analysis of our predictive models using AUC (area under ROC curve). Finally, we propose a rule induction algorithm from original C4.5 algorithm of Quinlan. Our proposed algorithm produces better accuracy than the original decision tree classifier.

show abstract

“…Botnet masters have used IP addresses or IRC servers as C&C servers in the past. Recently, however, they started to use Dynamic DNS, which is able to change the IP address of DNS addresses dynamically to prevent the C&C addresses being blocked [10]. A system that blocks DNS addresses as well as IP addresses is therefore also needed to defend against botnets.…”

Section: General Architecturementioning

confidence: 99%

“…The former approach consists mainly of three technical methods: congestion control [33] [34], network configuration [22] [35], and signature filters [16] [18] [36]. On the other hand, the types of application-based defense mechanisms are much more numerous: client-puzzle [37], IRC-based [23], anomaly-based [10] [27], DNS tracking [25], and attack traffic suppression [24]. In addition to these traditional defense methods, advanced defense methods, such as reverse engineering [20] and honeypot [29] [31], also exist.…”

Section: Related Workmentioning

confidence: 99%

A Hybrid Defense Technique for ISP Against the Distributed Denial of Service Attacks

Moon

Choi

Kim

et al. 2014

Appl. Math. Inf. Sci.

View full text Add to dashboard Cite

Abstract:As malicious traffic from botnets now threatens the network infrastructure of Internet Service Providers (ISPs), the importance of controlling botnets is greater than ever before. However, it is not easy to handle rapidly evolving botnets efficiently because of the highly evolved detection avoidance techniques used by botnet makers. Further, nowadays, Distributed Denial of Service (DDoS) attacks can compromise not only specific target sites but also the entire network infrastructure, as high-bandwidth Internet services are now being provided. Thus, ISPs are deploying their own defense systems to prevent DDoS attacks and protect their network infrastructure. However, the new problem ISPs confront is that botnet masters also try to destroy their defense systems to make their attack successful. ISPs can mitigate DDoS through botnet-specific management by taking preemptive measures, such as the proactive reverse engineering of suspicious code and the use of honeypots. This paper illustrates an advanced DDoS defense technique for the use of ISPs with a real case study of the technique's implementation. This technique was proven very effective method for controlling botnets, and we could confirm this effectiveness in a real ISP environment.

show abstract

Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic

Cited by 96 publications

References 9 publications

DNS Tunneling for Network Penetration

DNS Tunneling for Network Penetration

An Efficient Machine Learning Based Classification Scheme for Detecting Distributed Command & Control Traffic of P2P Botnets

A Hybrid Defense Technique for ISP Against the Distributed Denial of Service Attacks

Contact Info

Product

Resources

About