Botnets Detection by Analyzing Network Traffic Group Activities and Unsuccessful Responses

Document Type : Original Article

Abstract

Botnets are one of the growing threats on the Internet and computer networks. Botnet is a network
of infected computers connected to the Internet, which is controlled by a control server, and used
for Internet attacks such as denial of service attacks, and spams. Botnets expand the their territory
by identifying vulnerable devices on the network and get them to compromise. They are
progressing rapidly and use new technologies such as DNS and quick continuous changes, to trap
their users and enhance the protection of infected computers. One of the quick continuous changes
is using a domain name generation algorithm. By using this method attackers prevent, control
server domain names to be in black lists. Many Botnet detection methods are based on an analysis
of group activity, but using this method alone does not have sufficient performance in small and
medium networks. The aim of this paper is to provide a comprehensive and complete method to
detect Botnets that use quick domain name changes algorithmivckly. Our method is capable of
detecting Botnets that work in this way. In this method Botnets are detected based on failed
responses or NXDomain in each host. This feature increase detection accuracy in small and medium
networks. Our method is tested in infected networks with Conficker and Kraken and information
obtained from them has been analyzed.

Keywords


1.     M. Feily, A. Shahrestani, and S. Ramadass, “A Survey of Botnet and Botnet Detection,” in Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies, 2009, pp. 268–273.##
2.     Q. Lone, G. C. M. Moura, and M. Van Eeten, “Towards Incentivizing ISPs to Mitigate Botnets,” in Monitoring and Securing Virtualized Networks and Services: 8th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management and Security, AIMS 2014, Brno, Czech Republic, June 30- July 3, 2014. Proceedings, A. Sperotto, G. Doyen, S. Latré, M. Charalambides, and B. Stiller, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 57–62, 2014.##
3.     J. Vania, A. Meniya, and H. B. Jethva, “A Review on Botnet and Detection Technique,” vol. 4, no. 1, pp. 23–29, 2013.##
4.     K. Alieyan, A. ALmomani, A. Manasrah and M. M. Kadhum, “A survey of botnet detection based on DNS,” Neural Comput. Appl., pp. 1–18, 2015.##
5.     T. Barabosch, A. Wichmann, F. Leder, and E. Gerhards-Padilla, “Automatic Extraction of Domain Name Generation Algorithms from Current Malware,” NATO Symp. Inf. Assur. Cyber Def., pp. 1–13, 2012.##
6.     L. V. Hong, “DNS Traffic Analysis for Network-based Malware Detection DNS Traffic Analysis for Network-based Malware Detection,” p. 67, 2012.##
7.     M. Antonakakis and R. Perdisci, “From throw-away traffic to bots: detecting the rise of DGA-based malware,” Proc. 21st USENIX Secur. Symp., p. 16, 2012.##
8.     J. Park, “Acquiring Digital Evidence from Botnet Attacks: Procedures and Methods,” Communication, 2011.##
9.     T. S. Wang, C. S. Lin, and H. T. Lin, “DGA Botnet Detection Utilizing Social Network Analysis,” in 2016 International Symposium on Computer, Consumer and Control (IS3C), 2016, pp. 333–336.##
10.   D. Piscitello, “Conficker summary and review,” pp. 1–18, 2010.##
11.   M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging,” HotBots07 Proc. first Conf. First Work. Hot Top. Underst. Botnets, p. 5, 2007.##
12.   H. Choi and H. Lee, “Identifying botnets by capturing group activities in DNS traffic,” Comput. Networks, vol. 56, no. 1, pp. 20–33, 2012.##
13.   H. Choi, H. Lee, and H. Kim, “BotGAD: detecting botnets by capturing group activities in network traffic,” Proc. Fourth Int. ICST Conf. Commun. Syst. Softw. Middlew., pp. 1–8, 2009.##
14.   A. Ramachandran, N. Feamster, and D. Dagon, “Revealing Botnet Membership Using DNSBL Counter-Intelligence,” 2005.##
15.   G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-independent Botnet Detection,” in Proceedings of the 17th Conference on Security Symposium, 2008, pp. 139–154.##
16.   G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “BotHunter: Detecting Malware Infection Through IDS-driven Dialog Correlation,” in Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, 2007, p. 12.##
17.   R. Sharifnya and M. Abadi, “A novel reputation system to detect DGA-based botnets,” in Computer and Knowledge Engineering (ICCKE), 2013 3th International eConference on, 2013, pp. 417–423.##
 
Volume 7, Issue 3 - Serial Number 3
October 2020
Pages 19-27
  • Receive Date: 10 October 2016
  • Revise Date: 04 January 2021
  • Accept Date: 19 September 2018
  • Publish Date: 22 September 2016