Identifying botnets by capturing group activities in DNS traffic

Hyunsang Choi, Heejo Lee

Research output: Contribution to journalArticle

82 Citations (Scopus)

Abstract

Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, existing approaches can be overwhelmed by the large amount of data needed to be analyzed. In this paper, we propose a light-weight mechanism to detect botnets using their fundamental characteristics, i.e., group activity. The proposed mechanism, referred to as BotGAD (botnet group activity detector) needs a small amount of data from DNS traffic to detect botnet, not all network traffic content or known signatures. BotGAD can detect botnets from a large-scale network in real-time even though the botnet performs encrypted communications. Moreover, BotGAD can detect botnets that adopt recent evasion techniques. We evaluate BotGAD using multiple DNS traces collected from different sources including a campus network and large ISP networks. The evaluation shows that BotGAD can automatically detect botnets while providing real-time monitoring in large scale networks.

Original languageEnglish
Pages (from-to)20-33
Number of pages14
JournalComputer Networks
Volume56
Issue number1
DOIs
Publication statusPublished - 2012 Jan 12

Keywords

  • Botnet
  • DNS
  • Group activity

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Identifying botnets by capturing group activities in DNS traffic'. Together they form a unique fingerprint.

Cite this