Title :
Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic
Author :
Villamarin-Salomon, R. ; Brustoloni, J.C.
Author_Institution :
Univ. of Pittsburgh, Pittsburgh
Abstract :
Bots are compromised computers that communicate with a botnet command and control (C& C) server. Bots typically employ dynamic DNS (DDNS) to locate the respective C&C server. By injecting commands into such servers, botmasters can reuse bots for a variety of attacks. We evaluate two approaches for identifying botnet C&C servers based on anomalous DDNS traffic. The first approach consists in looking for domain names whose query rates are abnormally high or temporally concentrated. High DDNS query rates may be expected because botmasters frequently move C&C servers, and botnets with as many as 1.5 million bots have been discovered. The second approach consists in looking for abnormally recurring DDNS replies indicating that the query is for an inexistent name (NXDOMAIN). Such queries may correspond to bots trying to locate C&C servers that have been taken down. In our experiments, the second approach automatically identified several domain names that were independently reported by others as being suspicious, while the first approach was not as effective.
Keywords :
Internet; invasive software; telecommunication security; telecommunication traffic; anomaly detection technique; botnet identification; command-control server; dynamic domain name system traffic; query rate; Aggregates; Automatic control; Chebyshev approximation; Command and control systems; Communication system traffic control; Computer science; Network servers; Object detection; Proposals; Superluminescent diodes;
Conference_Titel :
Consumer Communications and Networking Conference, 2008. CCNC 2008. 5th IEEE
Conference_Location :
Las Vegas, NV
Print_ISBN :
978-1-4244-1456-7
Electronic_ISBN :
978-1-4244-1457-4
DOI :
10.1109/ccnc08.2007.112
