Uma arquitetura para detecção de botnets baseada na análise do tráfego DNS descartado
Abstract
Botnets are one of the main threats on the Internet and are able to assist malicious activities. After a host infection, a bot tries to communicate with its command and control servers. At this point, recent bots use Domain Generation Algorithms to create a list of candidate domain names for command and control servers. One consequence of this behavior is the increase in negative DNS answers. This traffic, usually discarded or ignored by network administrators, can be used to model a botnet behavior. Based on the increase in the number of negative DNS answers and having access to samples collected from a controled environment, this paper discusses an architecture capable of generating detection models to these bots. The tests showed an acuracy level above 90% in most test cases.References
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N. (2010). Building a dynamic reputation system for dns. In Proceedings of the 19th USENIX Conference on Security, USENIX Security’10, pages 18–18, Berkeley, CA, USA. USENIX Association.
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D. (2012). From throw-away traffic to bots: Detecting the rise of dga-based malware. In Proceedings of the 21st USENIX Conference on Security Symposium, Security’12, pages 24–24, Berkeley, CA, USA. USENIX Association.
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., and Kruegel, C. (2012). Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, pages 129–138, New York, NY, USA. ACM.
Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. (2011). EXPOSURE: Finding malicious domains using passive dns analysis. In Proceedings of the Network and Distributed System Security Symposium, NDSS’11. Internet Society.
Cavallaro, L., Kruegel, C., and Vigna, G. (2009). Mining the network behavior of bots. Technical Report Tech. Rep. 2009-12, Department of Computer Science, University of California, Santa Barbara (UCSB), CA, USA.
Choi, H., Lee, H., Lee, H., and Kim, H. (2007). Botnet detection by monitoring group activities in dns traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology, CIT ’07, pages 715–720, Washington, DC, USA. IEEE Computer Society.
Cisco (2007). Botnets: The new threat landscape. Technical report, Cisco Systems Inc, USA. White Paper.
de A Ribeiro, V., Filho, R., and Maia, J. (2011). Online traffic classification based on sub-flows. In Integrated Network Management (IM), 2011 IFIP/IEEE International Symposium on, pages 415–421, Dublin.
Erquiaga, M. J., Catania, C., and García, S. (2016). Detecting dga malware traffic through behavioral models. In 2016 IEEE Biennial Congress of Argentina (ARGENCON), pages 1–6.
Gu, G., Perdisci, R., Zhang, J., and Lee, W. (2008). Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proceedings of the 17th Conference on Security Symposium, SS’08, pages 139–154, Berkeley, CA, USA. USENIX Association.
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. H. (2009). The weka data mining software: An update. SIGKDD Explor. Newsl., 11(1):10–18.
Holz, T., Gorecki, C., Rieck, K., and Freiling, F. C. (2008). Measuring and detecting fast-flux service networks. In in NDSS. The Internet Society.
John, G. H. and Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In Eleventh Conference on Uncertainty in Artificial Intelligence, pages 338–345, San Mateo. Morgan Kaufmann.
Karim, A., Salleh, R. S., Shiraz, M., Shah, S. A. A., Awan, I., and Anuar, N. B. (2014). Botnet detection techniques: review, future trends, and issues. Journal of Zhejiang University-SCIENCE C (Computers & Electronics), 15(11):943–483.
Khandelwal, S. (2017). Wannacry kill-switch(ed) its not over! wannacry 2.0 ransomware arrives.
Quinlan, R. (1993). C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, San Mateo, CA.
Salusky, W. and Danford, R. (2007). Know your enemy: FastÂflux service networks.
Schiavoni, S., Maggi, F., Cavallaro, L., and Zanero, S. (2014). Phoenix: DGA-Based Botnet Tracking and Intelligence, pages 192–211. Springer International Publishing, Cham.
Sikorski, M. and Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco, 1st edition.
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. (2009). Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 635–647. ACM.
Stratosphere, T. (2015). Malware capture facility project.
Tiirmaa-Klaar, H., Gassen, J., Gerhards-Padilla, E., and Martini, P. (2013). Botnets. Springer Publishing Company, Incorporated.
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., and Garant, D. (2013). Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur., 39:2–16.
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D. (2012). From throw-away traffic to bots: Detecting the rise of dga-based malware. In Proceedings of the 21st USENIX Conference on Security Symposium, Security’12, pages 24–24, Berkeley, CA, USA. USENIX Association.
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., and Kruegel, C. (2012). Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, pages 129–138, New York, NY, USA. ACM.
Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. (2011). EXPOSURE: Finding malicious domains using passive dns analysis. In Proceedings of the Network and Distributed System Security Symposium, NDSS’11. Internet Society.
Cavallaro, L., Kruegel, C., and Vigna, G. (2009). Mining the network behavior of bots. Technical Report Tech. Rep. 2009-12, Department of Computer Science, University of California, Santa Barbara (UCSB), CA, USA.
Choi, H., Lee, H., Lee, H., and Kim, H. (2007). Botnet detection by monitoring group activities in dns traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology, CIT ’07, pages 715–720, Washington, DC, USA. IEEE Computer Society.
Cisco (2007). Botnets: The new threat landscape. Technical report, Cisco Systems Inc, USA. White Paper.
de A Ribeiro, V., Filho, R., and Maia, J. (2011). Online traffic classification based on sub-flows. In Integrated Network Management (IM), 2011 IFIP/IEEE International Symposium on, pages 415–421, Dublin.
Erquiaga, M. J., Catania, C., and García, S. (2016). Detecting dga malware traffic through behavioral models. In 2016 IEEE Biennial Congress of Argentina (ARGENCON), pages 1–6.
Gu, G., Perdisci, R., Zhang, J., and Lee, W. (2008). Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proceedings of the 17th Conference on Security Symposium, SS’08, pages 139–154, Berkeley, CA, USA. USENIX Association.
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. H. (2009). The weka data mining software: An update. SIGKDD Explor. Newsl., 11(1):10–18.
Holz, T., Gorecki, C., Rieck, K., and Freiling, F. C. (2008). Measuring and detecting fast-flux service networks. In in NDSS. The Internet Society.
John, G. H. and Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In Eleventh Conference on Uncertainty in Artificial Intelligence, pages 338–345, San Mateo. Morgan Kaufmann.
Karim, A., Salleh, R. S., Shiraz, M., Shah, S. A. A., Awan, I., and Anuar, N. B. (2014). Botnet detection techniques: review, future trends, and issues. Journal of Zhejiang University-SCIENCE C (Computers & Electronics), 15(11):943–483.
Khandelwal, S. (2017). Wannacry kill-switch(ed) its not over! wannacry 2.0 ransomware arrives.
Quinlan, R. (1993). C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, San Mateo, CA.
Salusky, W. and Danford, R. (2007). Know your enemy: FastÂflux service networks.
Schiavoni, S., Maggi, F., Cavallaro, L., and Zanero, S. (2014). Phoenix: DGA-Based Botnet Tracking and Intelligence, pages 192–211. Springer International Publishing, Cham.
Sikorski, M. and Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco, 1st edition.
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. (2009). Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 635–647. ACM.
Stratosphere, T. (2015). Malware capture facility project.
Tiirmaa-Klaar, H., Gassen, J., Gerhards-Padilla, E., and Martini, P. (2013). Botnets. Springer Publishing Company, Incorporated.
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., and Garant, D. (2013). Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur., 39:2–16.
Published
2017-11-06
How to Cite
BARBOSA, Luiz Gonzaga Mota; CELESTINO JÚNIOR, Joaquim; SANTOS, André Luiz Moura dos.
Uma arquitetura para detecção de botnets baseada na análise do tráfego DNS descartado. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 196-209.
DOI: https://doi.org/10.5753/sbseg.2017.19500.
