Privacy-preserving domain-flux botnet detection in a large scale network

In a large scale network, the privacy of the users and the performance are critical issues when conceiving a detection system, precisely for botnet detection where we need to differentiate between benign and malicious traffic. In this paper, we propose a new approach which conciliates these two requirements in order to detect domain-flux botnets and malicious servers controlling them. It relies on two successive steps: (1) it identifies communities of bots, infected by the same malware and showing similar behaviour in a defined interval; (2) it identifies malicious servers controlling these bots by correlating the traffic within each community. Our approach takes advantage of Bloom filters to represent information during the analysis, which allows us to comply with the constraints of privacy preservation and performance of a large scale implementation. We implemented our system and fed it with anonymised DNS traffic coming from an operator network. It detected several hundreds of malicious domain names with few false positives. Our system was able to process the capture faster than the injection rate, indicating that it can be scaled for real-time detection in a production environment. Our detection system is a first step into a fully privacy conservative botnet detection system.