DOCSLIB.ORG

Network Based Botnet Detection

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Network Based Botnet Detection 2012-ENST EDITE - ED 130 Ph.D. ParisTech DISSERTATION In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy from TELECOM ParisTech Specialization « Internet and System’s Security » presented and defended by Leyla BILGE on the 15th of December 2011 Network Based Botnet Detection Thesis supervisor : Prof. Engin Kirda Jury Mr. Herbert BOS, Prof., Vrije Universiteit, Amsterdam Reviewer Mr. Christopher Kruegel, Prof., University of California, Santa Barbara Reviewer Mr. Marc Dacier, Prof., Symantec Examiner Mr. Refik Molva, Prof., Eurecom, Sophia Antipolis Examiner TELECOM ParisTech école de l’Institut Télécom - membre de ParisTech 2012-ENST EDITE - ED 130 Doctorat ParisTech THÈSE pour obtenir le grade de docteur délivré par TELECOM ParisTech Spécialité « Sécurité d’Internet et des systèmes » présentée et soutenue publiquement par Leyla BILGE le 15 Décembre 2011 La Détection des Botnet par l’Analyse de Réseau Directeur de thèse : Prof. Engin KIRDA Jury Mr. Herbert BOS, Prof., Vrije Universiteit, Amsterdam Rapporteur Mr. Christopher Kruegel, Prof., University of California, Santa Barbara Rapporteur Mr. Marc Dacier, Prof., Symantec Examinateur Mr. Refik Molva, Prof., Eurecom, Sophia Antipolis Examinateur TELECOM ParisTech école de l’Institut Télécom - membre de ParisTech Bubacı˘gıma... Abstract The days when the Internet used to be an academic network with no malicious activity are long gone. Today, there is a high incentive for cyber- criminals to engage in malicious, profit-oriented illegal activity on the Inter- net. A popular tool of choice for digital criminals today are bots. Compared to other types of malware, the distinguishing characteristic of a bot is its ability to establish a command and control (C&C) channel that allows an attacker to remotely control or update a compromised machine. A number of bot-infected machines that are combined under the control of a single, malicious entity are referred to as a botnet. Such botnets are often abused as platforms to launch denial of service to send spam or to host scam pages. In this thesis, we propose three network-based botnet detection tech- niques. Each technique models the detections by analyzing different types of network data : the first detection technique performs packet level inspec- tion. The second one analyzes the DNS traffic to find the domains that are abused for different kinds of malicious purposes including being assigned for the command and control servers. And finally, the last one detects command and control servers by analyzing NetFlow data. We propose a detection approach to identify single, bot-infected ma- chines without any prior knowledge about command and control mecha- nisms or the way in which a bot propagates. Our detection model leverages the characteristic behavior of a bot, which is that it (a) receives commands from the botmaster, and (b) carries out some actions in response to these commands. The basic idea of our system is that we can generate detection models by observing the behavior of bots that are captured in the wild. Based on the observations of commands and responses, we generate detec- tion models that can be deployed to scan network traffic for similar activity, indicating the fact that a machine is infected by a bot. We introduce a passive DNS analysis approach and a detection system, Exposure, to effectively and efficiently detect domain names that are in- volved in malicious activity. We use a set of features that allow us to charac- i ii Abstract terize different properties of DNS names and the ways that they are queried. Our experiments with a large, real-world data set consisting of 100 billion DNS requests, and a real-life deployment for two weeks in an ISP show that our approach is scalable and that we are able to automatically identify un- known malicious domains that are misused in a variety of malicious activity (such as for botnet command and control, spamming, and phishing). Finally, we present Disclosure, a large-scale, wide-area botnet detec- tion system that incorporates a combination of novel techniques to overcome the challenges imposed by the use of NetFlow data. In particular, we iden- tify several groups of features that allow Disclosure to reliably distinguish C&C channels from benign traffic using NetFlow records : (i) flow sizes, (ii) client access patterns, and (iii) temporal behavior. We demonstrate that these features are not only effective in detecting current C&C channels, but that these features are relatively robust against expected countermeasures future botnets might deploy against our system. Furthermore, these features are oblivious to the specific structure of known botnet C&C protocols. R´esum´e La p´eriode ou Internet ´etaitun r´eseauuniversitaire sans activit´esmalveil- lantes est r´evolue depuis longtemps. De nos jours, les cyber-criminels ont beaucoup plus de raisons et de motivations pour conduire des activit´es ill´egales`abut lucratif. Un des outils les plus reconnus pour les criminels num´eriquessont les bots. Un botnet correspond `aun ensemble de plusieurs machines "infect´ees"qui sont sous le contr^oled'une seule entit´emalveillante. Ces botnets sont souvent utilis´eescomme des plateformes pour lancer des attaques de d´enide service, pour envoyer des spams ou pour h´eberger des pages d'arnaques. Cette th`esepropose trois techniques de d´etectionde botnet en se bas- ant sur l'analyse du r´eseau.Chaque technique mod´eliseces d´etectionsen analysant diff´erents types de donn´ees : la premi`eretechnique effectue une ispection des donn´eesau niveau paquet. La deuxi`emetechnique analyse le traffic DNS pour retrouver des domaines qui sont affect´espour des fins malveillantes notamment par des serveurs de commandes et de contr^ole.En- fin, la derni`eretechnique d´etectedes serveurs de commande et de contr^ole en analysant les donn´eesdu flux r´eseau. iii iv R´esum´e Table des mati`eres Abstract . .i R´esum´e ................................. iii Contents . .v List of Figures . ix List of Tables . .x Acronyms . xiii 1 Introduction 1 1.1 Botnet Detection Through Network Level Packet Inspection .3 1.2 Botnet Detection Through Passive DNS Analysis . .5 1.3 Botnet Command and Control Server Detection Through Net- flow Analysis . .7 1.4 Contributions . .9 1.5 Outline . 10 2 The Malware Evolution : Botnets 11 2.1 Botnet Characteristics . 12 2.1.1 Botnet Command and Control Infrastructures . 12 2.1.2 Bot Propagation Mechanisms . 15 2.1.3 Malicious Activites . 16 2.2 Historical Evolution of Botnets . 19 3 State of the Art 23 3.1 General malware detection . 23 3.2 Network intrusion detection . 24 3.3 Signature generation . 24 3.4 Botnet analysis and defense . 25 3.5 Using DNS Analysis Techniques for Detecting Botnets . 26 3.5.1 Identifying Malicious Domains . 26 v vi Table des mati`eres 3.5.2 Identifying Infected Machines by Monitoring Their DNS Activities . 28 3.5.3 Generic Identification of Malicious Domains Using Pas- sive DNS Monitoring . 28 3.6 Anomaly Detection Through NetFlow Analysis . 28 3.7 Botnet Detection with NetFlow Analysis . 30 4 Botnet Detection Through Network Level Packet Inspec- tion 31 4.1 System Overview . 32 4.1.1 Detection Models . 32 4.1.2 Model Generation . 34 4.2 Analyzing Bot Activity . 36 4.2.1 Locating Bot Responses . 36 4.2.2 Extracting Model Generation Data . 39 4.3 Generating Detection Models . 40 4.3.1 Command Model Generation . 41 4.3.2 Response Model Generation . 43 4.3.3 Mapping Models into Bro Signatures . 44 4.4 Evaluation . 44 4.4.1 Capturing Bot Traffic . 45 4.4.2 Generating Signatures . 46 4.4.3 Detection Capability . 48 4.4.4 Real-World Deployment . 49 4.4.5 Examples And Comparison To Hand-tuned Signatures 51 4.5 Limitations . 54 5 Botnet Detection Through Passive DNS Analysis 55 5.1 Overview . 56 5.1.1 Extracting DNS Features for Detection . 56 5.1.2 Architecture of EXPOSURE . 57 5.1.3 Real-Time Deployment . 58 5.2 Feature Selection . 58 5.2.1 Time-Based Features . 58 5.2.2 DNS Answer-Based Features . 63 5.2.3 TTL Value-Based Features . 64 5.2.4 Domain Name-Based Features . 65 5.3 Building Detection Models . 66 5.3.1 Constructing the Training Set . 66 5.3.2 The Initial Period of Training . 67 Table des mati`eres vii 5.3.3 The Classifier . 67 5.4 Evaluation . 69 5.4.1 DNS Data Collection for Offline Experiments . 69 5.4.2 Evaluation of the Classifier . 70 5.4.3 Experiments with the Recorded Data Set . 71 5.4.4 Real-World, Real-Time Detection with EXPOSURE . 73 5.4.5 Comparison with Previous Work . 75 5.5 Real-World Deployment of EXPOSURE . 78 5.6 Limitations . 81 6 Botnet Command and Control Server Detection Through Netflow Analysis 83 6.1 System Overview . 84 6.2 Feature Selection and Classification . 85 6.2.1 NetFlow Attributes . 85 6.2.2 Disclosure Feature Extraction . 87 6.2.3 Building the Detection Models . 91 6.3 False Positive Reduction . 92 6.4 Evaluation . 94 6.4.1 The NetFlow Data Sets . 95 6.4.2 The Ground-Truth Data Sets . 95 6.4.3 Labeled Data Set Detection and False Positive Rates . 96 6.4.4 Real-Time Detection . 99 6.4.5 Performance Evaluation . 102 6.4.6 Deployment Considerations . 102 6.4.7 Resilience to Evasion . 103 7 Concluding Remarks 105 Appendices 107 A R´esum´e´etendu 109 A.1 D´etectionBotnet Par Packet Inspection R´eseau. 111 A.2 D´etectionBotnet par DNS Analyse Passive . 113 A.3 D´etectiondes Serveurs de Commande et de Contr^oleen Analysant les Donn´eesdu Flux R´eseau. 116 A.4 Contributions .
Load more

Recommended publications
  • Analysis of Malware and Domain Name System Traffic
    Analysis of Malware and Domain Name System Traffic Hamad Mohammed Binsalleeh A Thesis in The Department of Computer Science and Software Engineering Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at Concordia University Montréal, Québec, Canada July 2014 c Hamad Mohammed Binsalleeh, 2014 CONCORDIA UNIVERSITY Division of Graduate Studies This is to certify that the thesis prepared By: Hamad Mohammed Binsalleeh Entitled: Analysis of Malware and Domain Name System Traffic and submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy complies with the regulations of this University and meets the accepted standards with respect to originality and quality. Signed by the final examining committee: Chair Dr. Christian Moreau External Examiner Dr. Nadia Tawbi Examiner to Program Dr. Lingyu Wang Examiner Dr. Peter Grogono Examiner Dr. Olga Ormandjieva Thesis Co-Supervisor Dr. Mourad Debbabi Thesis Co-Supervisor Dr. Amr Youssef Approved by Chair of the CSE Department 2014 Dean of Engineering ABSTRACT Analysis of Malware and Domain Name System Traffic Hamad Mohammed Binsalleeh Concordia University, 2014 Malicious domains host Command and Control servers that are used to instruct in- fected machines to perpetuate malicious activities such as sending spam, stealing creden- tials, and launching denial of service attacks. Both static and dynamic analysis of malware as well as monitoring Domain Name System (DNS) traffic provide valuable insight into such malicious activities and help security experts detect and protect against many cyber attacks. Advanced crimeware toolkits were responsible for many recent cyber attacks. In order to understand the inner workings of such toolkits, we present a detailed reverse en- gineering analysis of the Zeus crimeware toolkit to unveil its underlying architecture and enable its mitigation.
    [Show full text]
  • An Analysis of the Asprox Botnet
    An Analysis of the Asprox Botnet Ravishankar Borgaonkar Technical University of Berlin Email: [email protected] Abstract—The presence of large pools of compromised com- motives. Exploitable vulnerabilities may exist in the Internet puters, also known as botnets, or zombie armies, represents a infrastructure, in the clients and servers, in the people, and in very serious threat to Internet security. This paper describes the way money is controlled and transferred from the Internet the architecture of a contemporary advanced bot commonly known as Asprox. Asprox is a type of malware that combines into traditional cash. Many security firms and researchers are the two threat vectors of forming a botnet and of generating working on developing new methods to fight botnets and to SQL injection attacks. The main features of the Asprox botnet mitigate against threats from botnets [7], [8], [9]. are the use of centralized command and control structure, HTTP based communication, use of advanced double fast-flux service Unfortunately, there are still many questions that need to networks, use of SQL injection attacks for recruiting new bots be addressed to find effective ways of protecting against the and social engineering tricks to spread malware binaries. The threats from botnets. In order to fight against botnets in future, objective of this paper is to contribute to a deeper understanding of Asprox in particular and a better understanding of modern it is not enough to study the botnets of past. Botnets are botnet designs in general. This knowledge can be used to develop constantly evolving, and we need to understand the design more effective methods for detecting botnets, and stopping the and structure of the emerging advanced botnets.
    [Show full text]
  • Detecting Botnets Using File System Indicators
    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
    [Show full text]
  • Pax Technica
    pax technica YY6658.indb6658.indb i 22/2/15/2/15 11:15:1811:15:18 AAMM YY6658.indb6658.indb iiii 22/2/15/2/15 11:15:1811:15:18 AAMM philip n. howard pax technica how the internet of things may set us free or lock us up new haven & london YY6658.indb6658.indb iiiiii 22/2/15/2/15 11:15:1811:15:18 AAMM Published with assistance from the Mary Cady Tew Memorial Fund. Copyright © 2015 by Philip N. Howard. All rights reserved. This book may not be reproduced, in whole or in part, including illustrations, in any form (beyond that copying permitted by Sections 107 and 108 of the U.S. Copyright Law and except by reviewers for the public press), without written permission from the publishers. An online version of the work is made available under a Creative Commons license for use that is noncommercial and not derivative. The terms of the license are set forth at http://creativecommons.org/licenses/by-nc-nd/4.0/. For more information about a digital copy of the work, please see the author’s website: http://philhoward.org/. Yale University Press books may be purchased in quantity for educational, business, or promotional use. For information, please e-mail sales.press@yale .edu (U.S. offi ce) or [email protected] (U.K. offi ce). Set in Joanna type by Newgen North America, Austin, Texas. Printed in the United States of America. ISBN 978-0-300-19947-5 (cloth : alk. paper) Catalogue records for this book are available from the Library of Congress and the British Library.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Ethical Hacking
    Ethical Hacking Alana Maurushat University of Ottawa Press ETHICAL HACKING ETHICAL HACKING Alana Maurushat University of Ottawa Press 2019 The University of Ottawa Press (UOP) is proud to be the oldest of the francophone university presses in Canada and the only bilingual university publisher in North America. Since 1936, UOP has been “enriching intellectual and cultural discourse” by producing peer-reviewed and award-winning books in the humanities and social sciences, in French or in English. Library and Archives Canada Cataloguing in Publication Title: Ethical hacking / Alana Maurushat. Names: Maurushat, Alana, author. Description: Includes bibliographical references. Identifiers: Canadiana (print) 20190087447 | Canadiana (ebook) 2019008748X | ISBN 9780776627915 (softcover) | ISBN 9780776627922 (PDF) | ISBN 9780776627939 (EPUB) | ISBN 9780776627946 (Kindle) Subjects: LCSH: Hacking—Moral and ethical aspects—Case studies. | LCGFT: Case studies. Classification: LCC HV6773 .M38 2019 | DDC 364.16/8—dc23 Legal Deposit: First Quarter 2019 Library and Archives Canada © Alana Maurushat, 2019, under Creative Commons License Attribution— NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) https://creativecommons.org/licenses/by-nc-sa/4.0/ Printed and bound in Canada by Gauvin Press Copy editing Robbie McCaw Proofreading Robert Ferguson Typesetting CS Cover design Édiscript enr. and Elizabeth Schwaiger Cover image Fragmented Memory by Phillip David Stearns, n.d., Personal Data, Software, Jacquard Woven Cotton. Image © Phillip David Stearns, reproduced with kind permission from the artist. The University of Ottawa Press gratefully acknowledges the support extended to its publishing list by Canadian Heritage through the Canada Book Fund, by the Canada Council for the Arts, by the Ontario Arts Council, by the Federation for the Humanities and Social Sciences through the Awards to Scholarly Publications Program, and by the University of Ottawa.
    [Show full text]
  • Defending Against Cybercrime: Advances in the Detection of Malicious Servers and the Analysis of Client-Side Vulnerabilities
    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ Defending Against Cybercrime: Advances in the Detection of Malicious Servers and the Analysis of Client-Side Vulnerabilities PH.D THESIS Antonio Nappa Copyright c February 2016 by Antonio Nappa DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ Defending Against Cybercrime: Advances in the Detection of Malicious Servers and the Analysis of Client-Side Vulnerabilities SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor en Inform´atica Author: Antonio Nappa Advisor Dr. Juan Caballero February 2016 Jury: Somesh Jha, Professor of Computer Sciences - University of Wisconsin-Madison Lorenzo Cavallaro, Senior Lecturer of Computer Sciences - Royal Holloway University of London Juan Manuel Est´evez Tapiador, Profesor Titular de Universidad - Universi- dad Carlos III de Madrid Victor A. Villagr´a, Profesor Titular de Universidad - Universidad Polit´ecnica de Madrid Boris K¨opf, Assistant Research Professor - IMDEA Software Institute Carmela Troncoso, Researcher - IMDEA Software Institute Manuel Carro, Profesor Titular de Universidad - Universidad Polit´ecnica de Madrid Resumen de la tesis Esta tesis se centra en el an´alisisde dos aspectos complementarios de la ciberdelin- cuencia (es decir, el crimen perpetrado a trav´esde la red para ganar dinero). Estos dos aspectos son las m´aquinasinfectadas utilizadas para obtener beneficios econ´omicosde la delincuencia a trav´esde diferentes acciones (como por ejemplo, clickfraud, DDoS, correo no deseado) y la infraestructura de servidores utiliza- dos para gestionar estas m´aquinas(por ejemplo, C & C, servidores explotadores, servidores de monetizaci´on,redirectores). En la primera parte se investiga la exposici´ona las amenazas de los orde- nadores victimas.
    [Show full text]
  • Survey and Taxonomy of Botnet Research Through Life-Cycle
    Survey and Taxonomy of Botnet Research through Life-Cycle RAFAEL A. RODR´IGUEZ-GOMEZ,´ GABRIEL MACIA-FERN´ ANDEZ´ and PEDRO GARC´IA-TEODORO, University of Granada Of all current threats to cybersecurity, botnets are at the top of the list. In consequence, interest in this problem is increasing rapidly among the research community and the number of publications on the question has grown exponentially in recent years. This article proposes a taxonomy of botnet research and presents a survey of the field to provide a comprehensive overview of all these contributions. Furthermore, we hope to provide researchers with a clear perspective of the gaps that remain to be filled in our defenses against botnets. The taxonomy is based upon the botnet’s life-cycle, defined as the sequence of stages a botnet needs to pass through in order to reach its goal. This approach allows us to consider the problem of botnets from a global perspective, which constitutes a key difference from other taxonomies that have been proposed. Under this novel taxonomy, we conclude that all attempts to defeat botnets should be focused on one or more stages of this life-cycle. In fact, the sustained hindering of any of the stages makes it possible to thwart a botnet’s progress and thus render it useless. We test the potential capabilities of our taxonomy by means of a survey of current botnet research, and find it genuinely useful in understanding the focus of the different contributions in this field. Categories and Subject Descriptors: K.6.5 [Security and Protection]: Invasive Software; K.4.2 [Social Issues]: Abuse and Crime Involving Computers General Terms: Security Additional Key Words and Phrases: Attack, botnet, defense, detection, survey, taxonomy 45 ACM Reference Format: Rodr´ıguez-Gomez,´ R.
    [Show full text]
  • Detecting DGA Bots in a Single Network
    BotDigger: Detecting DGA Bots in a Single Network Han Zhang Manaf Gharaibeh Spiros Thanasoulas Christos Papadopoulos Department of Computer Science Colorado State University Fort Collins, Colorado, USA 80521 Email: zhang, gharaibe, spiros.thanasoulas, [email protected] Abstract—To improve the resiliency of communication be- compared to legitimate hosts. For example, DGA bots send tween bots and C&C servers, bot masters began utilizing Domain more DNS queries than legitimate hosts. Last, if we can detect Generation Algorithms (DGA) in recent years. Many systems have bots only using DNS traffic when they look for C&C domains, been introduced to detect DGA-based botnets. However, they we can stop the attacks even before they happen. suffer from several limitations, such as requiring DNS traffic collected across many networks, the presence of multiple bots Many previous works have been introduced to detect DGA- from the same botnet, and so forth. These limitations make it very based botnets and malicious domains (e.g., C&C domains, hard to detect individual bots when using traffic collected from a single network. In this paper, we introduce BotDigger, a system phishing domains) using DNS traffic [8], [20], [9], [6], [22], that detects DGA-based bots using DNS traffic without a priori [23], [17]. They share some common assumptions, such as knowledge of the domain generation algorithm. BotDigger utilizes DGA domains generated by the same algorithm have similar a chain of evidence, including quantity, temporal and linguistic linguistic attributes, DGA domains’ attributes are different evidence to detect an individual bot by only monitoring traffic from legitimate ones, and so forth.
    [Show full text]
  • Domain Generation Algorithm (DGA) Detection
    Domain Generation Algorithm (DGA) Detection by Shubhangi Upadhyay Bachelors of Computer Science, UPTU, 2016 A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF Masters of Computer Science In the Graduate Academic Unit of Faculty of Computer Science Supervisor(s): Ali Ghorbani, Ph.D, Faculty of Computer Science Examining Board: Suprio Ray, Ph.D, Faculty of Computer Science, Chair Arash Habibi, Ph.D, Faculty of Computer Science, Chair Donglei Du, PhD, Faculty of Management, UNB This thesis is accepted by the Dean of Graduate Studies THE UNIVERSITY OF NEW BRUNSWICK May, 2020 © Shubhangi Upadhyay, 2020 Abstract Domain name plays a crucial role today, as it is designed for humans to refer the access point they need and there are certain characteristics that every domain name has which justifies their existence. A technique was developed to algorithmically generate domain names with the idea to solve the problem of designing domain names manually. DGAs are immune to static prevention methods like blacklisting and sinkholing. Attackers deploy highly sophisticated tactics to compromise end- user systems to gain control as a target for malware to spread. There have been multiple attempts made using lexical feature analysis, domain query responses by blacklist or sinkholing, and some of these techniques have been really efficient as well. In this research the idea to design a framework to detect DGAs even in real network traffic, using features studied from legitimate domain names in static and real traffic, by considering feature extraction as the key of the framework we propose. The detection process consists of detection, prediction and classification attaining a maximum accuracy of 99% even without using neural networks or deep learning techniques.
    [Show full text]
  • Distributed Attacks As Security Games
    Distributed attacks as security games Neal Fultz School of Information UC Berkeley [email protected] ABSTRACT using enough resources to overwhelm a server. Perhaps the Due to the development of easy-to-use software, distributed least sophisticated, online 'sit-ins' date back to at least 1995 denial of service attacks have gone from theoretical weapons [6]. Since then, computing power and bandwidth have fol- to being in the hands of criminals in less than twenty years. lowed Moore's law and grown exponentially; it now takes This paper analyzes the threat of DDoS attacks by devel- more than a few hundred volunteers to knock out a website. oping a two-sided multiplayer model of security in which attackers attempt to deny service and defenders attempt to On the other hand, attackers have become increasingly so- protect against attacks. Key ¯ndings include the existence phisticated. Computer exploits are cataloged and traded, of protection and non-attack Nash equilibria among di®er- backdoors allow attackers to remote control a computer, and ent con¯gurations of contribution functions and numbers of rootkits let them mask their presence. Viruses and worms players, and validation of this model against infection data. can compromise millions of computers quickly. Some com- I ¯nd that strategic attackers launch attacks only if protec- puters don't even need to be compromised to be turned into tion will not occur. Therefore, the threat of protection can a weapon [15]. In the case of Estonia, a teenager used a net- be enough to deter an attacker, but as the number of attack- work of compromised machines (a "botnet") to shut down ers grows, this equilibrium becomes increasingly unstable.
    [Show full text]
  • Dissertation Detecting Advanced Botnets in Enterprise Networks
    Dissertation Detecting Advanced Botnets in Enterprise Networks Submitted by Han Zhang Department of Computer Science In partial fulfillment of the requirements For the Degree of Doctor of Philosophy Colorado State University Fort Collins, Colorado Spring 2017 Doctoral Committee: Advisor: Christos Papadopoulos Indrakshi Ray Shrideep Pallickara Stephen C. Hayne Copyright by Han Zhang 2017 All Rights Reserved Abstract Detecting Advanced Botnets in Enterprise Networks A botnet is a network composed of compromised computers that are controlled by a botmaster through command and control (C&C) channel. Botnets are more destructive compared to common virus and malware, because they control the resources from many compromised computers. Botnets provide a very important platform for attacks, such as Distributed Denial-of-Service (DDoS), spamming, scanning, and many more. To foil detec- tion systems, botnets began to use various evasion techniques, including encrypted commu- nications, dynamically generated C&C domains, and more. We call such botnets that use evasion techniques as advanced botnets. In this dissertation, we introduce various algorithms and systems to detect advanced botnets in enterprise-like network environment. Encrypted botnets introduce several problems to detection. First, to enable research in detecting encrypted botnets, researchers need samples of encrypted botnet traces with ground truth, which are very hard to get. Traces that are available are not customizable, which prevents testing under various controlled scenarios. To address this problem we intro- duce BotTalker, a tool that can be used to generate customized encrypted botnet communi- cation traffic. BotTalker emulates the actions a bot would take to encrypt communication. To the best of our knowledge, BotTalker is the first work that provides users customized encrypted botnet traffic.
    [Show full text]