Title :
Analyzing DNS activities of bot processes
Author :
Morales, Jose Andre ; Al-Bataineh, Areej ; Xu, Shouhuai ; Sandhu, Ravi
Author_Institution :
Inst. for Cyber Security, Univ. of Texas at San Antonio, San Antonio, TX, USA
Abstract :
Detecting bots is becoming increasingly challenging with the sophistication of current bot technology. Most research has focused on identifying infected host machines but is unable to identify the specific bot processes on the host. This research analyzes active bot processes with emphasis on a newly identified vector of detection based on DNS activities occurring throughout the bot life cycle with a primary focus on the early stage of the cycle (i.e., when bots first join a botnet). Specifically, we propose criteria for detecting bot processes based on their reaction-to-DNS-response behavior (RD behavior). Our experimental results confirm that the newly identified vector of detection can, in most cases, accurately identify bot processes during the early stage in their life cycle and can improve detection results of current commercial bot detection software.
Keywords :
Internet; invasive software; peer-to-peer computing; software performance evaluation; DNS activities; DNS response behavior; bot process; domain name system; malware; peer-to-peer botnet; Classification tree analysis; Communication channels; Computer science; Computer security; Data analysis; Detectors; Network servers; Peer to peer computing; Stress;
Conference_Titel :
Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on
Conference_Location :
Montreal, QC
Print_ISBN :
978-1-4244-5786-1
DOI :
10.1109/MALWARE.2009.5403014
