Uma arquitetura para detecção de botnets baseada na análise do tráfego DNS descartado
Resumo
Botnets são uma das principais ameaças na Internet, capazes de auxiliar na realização de atividades maliciosas. Ao infectar um hospedeiro, um bot tenta comunicar-se com o servidor de comando e controle. Neste ponto, bots recentes utilizam Algoritmos de Geração de Domínios para criarem uma lista de nomes de domínio candidatos a servidores de comando e controle. Uma consequência deste comportamtento é o aumento de respostas negativas do protocolo DNS. Esse tráfego, geralmente descartado ou ignorado pelos administradores de rede, pode ser utilizado para modelar o comportamento de uma botnet. Com base no aumento no número de respostas negativas do protocolo DNS e acesso a amostras coletadas em um ambiente controlado, este trabalho apresenta uma arquitetura capaz de gerar modelos de detecção para estes bots. Os experimentos mostraram um nível de acurácia acima de 90% na maioria dos cenários.Referências
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N. (2010). Building a dynamic reputation system for dns. In Proceedings of the 19th USENIX Conference on Security, USENIX Security’10, pages 18–18, Berkeley, CA, USA. USENIX Association.
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D. (2012). From throw-away traffic to bots: Detecting the rise of dga-based malware. In Proceedings of the 21st USENIX Conference on Security Symposium, Security’12, pages 24–24, Berkeley, CA, USA. USENIX Association.
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., and Kruegel, C. (2012). Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, pages 129–138, New York, NY, USA. ACM.
Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. (2011). EXPOSURE: Finding malicious domains using passive dns analysis. In Proceedings of the Network and Distributed System Security Symposium, NDSS’11. Internet Society.
Cavallaro, L., Kruegel, C., and Vigna, G. (2009). Mining the network behavior of bots. Technical Report Tech. Rep. 2009-12, Department of Computer Science, University of California, Santa Barbara (UCSB), CA, USA.
Choi, H., Lee, H., Lee, H., and Kim, H. (2007). Botnet detection by monitoring group activities in dns traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology, CIT ’07, pages 715–720, Washington, DC, USA. IEEE Computer Society.
Cisco (2007). Botnets: The new threat landscape. Technical report, Cisco Systems Inc, USA. White Paper.
de A Ribeiro, V., Filho, R., and Maia, J. (2011). Online traffic classification based on sub-flows. In Integrated Network Management (IM), 2011 IFIP/IEEE International Symposium on, pages 415–421, Dublin.
Erquiaga, M. J., Catania, C., and García, S. (2016). Detecting dga malware traffic through behavioral models. In 2016 IEEE Biennial Congress of Argentina (ARGENCON), pages 1–6.
Gu, G., Perdisci, R., Zhang, J., and Lee, W. (2008). Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proceedings of the 17th Conference on Security Symposium, SS’08, pages 139–154, Berkeley, CA, USA. USENIX Association.
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. H. (2009). The weka data mining software: An update. SIGKDD Explor. Newsl., 11(1):10–18.
Holz, T., Gorecki, C., Rieck, K., and Freiling, F. C. (2008). Measuring and detecting fast-flux service networks. In in NDSS. The Internet Society.
John, G. H. and Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In Eleventh Conference on Uncertainty in Artificial Intelligence, pages 338–345, San Mateo. Morgan Kaufmann.
Karim, A., Salleh, R. S., Shiraz, M., Shah, S. A. A., Awan, I., and Anuar, N. B. (2014). Botnet detection techniques: review, future trends, and issues. Journal of Zhejiang University-SCIENCE C (Computers & Electronics), 15(11):943–483.
Khandelwal, S. (2017). Wannacry kill-switch(ed) its not over! wannacry 2.0 ransomware arrives.
Quinlan, R. (1993). C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, San Mateo, CA.
Salusky, W. and Danford, R. (2007). Know your enemy: FastÂflux service networks.
Schiavoni, S., Maggi, F., Cavallaro, L., and Zanero, S. (2014). Phoenix: DGA-Based Botnet Tracking and Intelligence, pages 192–211. Springer International Publishing, Cham.
Sikorski, M. and Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco, 1st edition.
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. (2009). Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 635–647. ACM.
Stratosphere, T. (2015). Malware capture facility project.
Tiirmaa-Klaar, H., Gassen, J., Gerhards-Padilla, E., and Martini, P. (2013). Botnets. Springer Publishing Company, Incorporated.
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., and Garant, D. (2013). Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur., 39:2–16.
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D. (2012). From throw-away traffic to bots: Detecting the rise of dga-based malware. In Proceedings of the 21st USENIX Conference on Security Symposium, Security’12, pages 24–24, Berkeley, CA, USA. USENIX Association.
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., and Kruegel, C. (2012). Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, pages 129–138, New York, NY, USA. ACM.
Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. (2011). EXPOSURE: Finding malicious domains using passive dns analysis. In Proceedings of the Network and Distributed System Security Symposium, NDSS’11. Internet Society.
Cavallaro, L., Kruegel, C., and Vigna, G. (2009). Mining the network behavior of bots. Technical Report Tech. Rep. 2009-12, Department of Computer Science, University of California, Santa Barbara (UCSB), CA, USA.
Choi, H., Lee, H., Lee, H., and Kim, H. (2007). Botnet detection by monitoring group activities in dns traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology, CIT ’07, pages 715–720, Washington, DC, USA. IEEE Computer Society.
Cisco (2007). Botnets: The new threat landscape. Technical report, Cisco Systems Inc, USA. White Paper.
de A Ribeiro, V., Filho, R., and Maia, J. (2011). Online traffic classification based on sub-flows. In Integrated Network Management (IM), 2011 IFIP/IEEE International Symposium on, pages 415–421, Dublin.
Erquiaga, M. J., Catania, C., and García, S. (2016). Detecting dga malware traffic through behavioral models. In 2016 IEEE Biennial Congress of Argentina (ARGENCON), pages 1–6.
Gu, G., Perdisci, R., Zhang, J., and Lee, W. (2008). Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proceedings of the 17th Conference on Security Symposium, SS’08, pages 139–154, Berkeley, CA, USA. USENIX Association.
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. H. (2009). The weka data mining software: An update. SIGKDD Explor. Newsl., 11(1):10–18.
Holz, T., Gorecki, C., Rieck, K., and Freiling, F. C. (2008). Measuring and detecting fast-flux service networks. In in NDSS. The Internet Society.
John, G. H. and Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In Eleventh Conference on Uncertainty in Artificial Intelligence, pages 338–345, San Mateo. Morgan Kaufmann.
Karim, A., Salleh, R. S., Shiraz, M., Shah, S. A. A., Awan, I., and Anuar, N. B. (2014). Botnet detection techniques: review, future trends, and issues. Journal of Zhejiang University-SCIENCE C (Computers & Electronics), 15(11):943–483.
Khandelwal, S. (2017). Wannacry kill-switch(ed) its not over! wannacry 2.0 ransomware arrives.
Quinlan, R. (1993). C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, San Mateo, CA.
Salusky, W. and Danford, R. (2007). Know your enemy: FastÂflux service networks.
Schiavoni, S., Maggi, F., Cavallaro, L., and Zanero, S. (2014). Phoenix: DGA-Based Botnet Tracking and Intelligence, pages 192–211. Springer International Publishing, Cham.
Sikorski, M. and Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco, 1st edition.
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. (2009). Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 635–647. ACM.
Stratosphere, T. (2015). Malware capture facility project.
Tiirmaa-Klaar, H., Gassen, J., Gerhards-Padilla, E., and Martini, P. (2013). Botnets. Springer Publishing Company, Incorporated.
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., and Garant, D. (2013). Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur., 39:2–16.
Publicado
06/11/2017
Como Citar
BARBOSA, Luiz Gonzaga Mota; CELESTINO JÚNIOR, Joaquim; SANTOS, André Luiz Moura dos.
Uma arquitetura para detecção de botnets baseada na análise do tráfego DNS descartado. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 196-209.
DOI: https://doi.org/10.5753/sbseg.2017.19500.