Analyzing DNS activities of bot processes

Author

Morales, Jose Andre ; Al-Bataineh, Areej ; Xu, Shouhuai ; Sandhu, Ravi

Author_Institution

Inst. for Cyber Security, Univ. of Texas at San Antonio, San Antonio, TX, USA

fYear

2009

fDate

13-14 Oct. 2009

Firstpage

98

Lastpage

103

Abstract

Detecting bots is becoming increasingly challenging with the sophistication of current bot technology. Most research has focused on identifying infected host machines but is unable to identify the specific bot processes on the host. This research analyzes active bot processes with emphasis on a newly identified vector of detection based on DNS activities occurring throughout the bot life cycle with a primary focus on the early stage of the cycle (i.e., when bots first join a botnet). Specifically, we propose criteria for detecting bot processes based on their reaction-to-DNS-response behavior (RD behavior). Our experimental results confirm that the newly identified vector of detection can, in most cases, accurately identify bot processes during the early stage in their life cycle and can improve detection results of current commercial bot detection software.

Keywords

Internet; invasive software; peer-to-peer computing; software performance evaluation; DNS activities; DNS response behavior; bot process; domain name system; malware; peer-to-peer botnet; Classification tree analysis; Communication channels; Computer science; Computer security; Data analysis; Detectors; Network servers; Peer to peer computing; Stress;

fLanguage

English

Publisher

ieee

Conference_Titel

Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on

Conference_Location

Montreal, QC

Print_ISBN

978-1-4244-5786-1

Type

conf

DOI

10.1109/MALWARE.2009.5403014

Filename

5403014