PsyBoG: A scalable botnet detection method for large-scale DNS traffic

Kwon, Jonghoon; Lee, Je-Hyun; Lee, Heejo; Perrig, Adrian

doi:10.1016/j.comnet.2015.12.008

Cited by 102 publications

(58 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This work does not seek to compete with the existing tools for detecting DGA but rather it seeks to complement existing works [1], [2], [3], [7], [18], [27], [44]. This paper expands upon previous work related to the detection of algorithmically-generated domain names [15], and seeks to answer the following research question:…”

Section: Introductionmentioning

confidence: 91%

See 1 more Smart Citation

Detection of Algorithmically Generated Malicious Domain

Agyepong¹,

Buchanan²,

Jones³

2018

Computer Science &Amp; Information Technology

View full text Add to dashboard Cite

show abstract

Section: Introductionmentioning

confidence: 91%

“…Whilst DDNS provides a useful feature for organisations that need to maintain consistent services, because they rely on a dynamic IP range allocated by their Internet Service Provider (ISP) [18]. Arntz [5] explains that, cyber-criminals exploit this feature to increase the survivability of their C&C server.…”

Section: Introductionmentioning

confidence: 99%

Detection of Algorithmically Generated Malicious Domain

Agyepong¹,

Buchanan²,

Jones³

2018

Computer Science &Amp; Information Technology

View full text Add to dashboard Cite

show abstract

“…This set of data was manually classified to provide D CDN ' and D BOT ' sets. [20,21,27] No No No Medium Large F2 Place of domain registration (country) [20] Yes No Yes Small Small F3 Number of subdomains in the domain [26] Yes No Yes Medium Large F4 The domain name according to dictionary [26,30,32] Yes No Can Large Small F5 The similarity of certain elements of the domain name with a valid domain name [26,30,33] Yes No Yes Medium Large F6 Numbers in domain names [27] Yes No Yes Small Small F7 The length of the longest word in the domain name [27] Yes No Yes Small Small F8 Number and duration of the connection [26] No No Yes Large Large F9 Similar daily behavior of the domain [27,32] No No Yes Large Large F10 Recurring cycles of query to the authoritative server [28] No The summary set of data used for experimental setup is given by:…”

Section: Evaluation Of Feature Characteristicsmentioning

confidence: 99%

“…A tool called PsyBoG is developed for detecting malicious behaviour within large volumes of DNS traffic [33]. PsyBoG leverages a signal processing technique, power spectral density (PSD) analysis, to discover the major frequencies resulting from the periodic DNS queries of Botnets.…”

Section: Related Workmentioning

confidence: 99%

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

2018

View full text Add to dashboard Cite

Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in an embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of IDS.

show abstract

“…Provided with the general trend of this mechanism, recent works have focused on the analysis of DNS traffic to identify botnets relying on their DGAs. Various technologies have since been designed to detect DGA domains in DNS traffic, containing analyzing algorithmic models of domains, reverse-engineering malware instances [30,31], grouped into non-existent domains in DNS lookups [32,33], behavioral models [34,35], Social Network Analysis [36], power spectral density (PSD) analysis [37], and directly capturing C and C traffic [38,39]. However, influencing detected DGA domains to create a practical fix to botnet threats in large-scale networks is currently restricted.…”

Section: Dga-based Botnet Detectionmentioning

confidence: 99%

Botnet Detection Technology Based on DNS

Wang

Zhang

2017

Future Internet

View full text Add to dashboard Cite

With the help of botnets, intruders can implement a remote control on infected machines and perform various malicious actions. Domain Name System (DNS) is very famous for botnets to locate command and control (C and C) servers, which enormously strengthens a botnet's survivability to evade detection. This paper focuses on evasion and detection techniques of DNS-based botnets and gives a review of this field for a general summary of all these contributions. Some important topics, including technological background, evasion and detection, and alleviation of botnets, are discussed. We also point out the future research direction of detecting and mitigating DNS-based botnets. To the best of our knowledge, this topic gives a specialized and systematic study of the DNS-based botnet evading and detecting techniques in a new era and is useful for researchers in related fields.

show abstract

PsyBoG: A scalable botnet detection method for large-scale DNS traffic

Cited by 102 publications

References 17 publications

Detection of Algorithmically Generated Malicious Domain

Detection of Algorithmically Generated Malicious Domain

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

Botnet Detection Technology Based on DNS

Contact Info

Product

Resources

About