TY - JOUR
T1 - Identifying botnets by capturing group activities in DNS traffic
AU - Choi, Hyunsang
AU - Lee, Heejo
N1 - Funding Information:
This research was supported by the MKE, Korea, under the ITRC support program supervised by the NIPA (NIPA-2011-C1090-1131-0005) and the Seoul R&BD Program (WR080951). The preliminary version of this paper was presented in IEEE CIT [1] and COMSWARE [2] .
PY - 2012/1/12
Y1 - 2012/1/12
N2 - Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, existing approaches can be overwhelmed by the large amount of data needed to be analyzed. In this paper, we propose a light-weight mechanism to detect botnets using their fundamental characteristics, i.e., group activity. The proposed mechanism, referred to as BotGAD (botnet group activity detector) needs a small amount of data from DNS traffic to detect botnet, not all network traffic content or known signatures. BotGAD can detect botnets from a large-scale network in real-time even though the botnet performs encrypted communications. Moreover, BotGAD can detect botnets that adopt recent evasion techniques. We evaluate BotGAD using multiple DNS traces collected from different sources including a campus network and large ISP networks. The evaluation shows that BotGAD can automatically detect botnets while providing real-time monitoring in large scale networks.
AB - Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, existing approaches can be overwhelmed by the large amount of data needed to be analyzed. In this paper, we propose a light-weight mechanism to detect botnets using their fundamental characteristics, i.e., group activity. The proposed mechanism, referred to as BotGAD (botnet group activity detector) needs a small amount of data from DNS traffic to detect botnet, not all network traffic content or known signatures. BotGAD can detect botnets from a large-scale network in real-time even though the botnet performs encrypted communications. Moreover, BotGAD can detect botnets that adopt recent evasion techniques. We evaluate BotGAD using multiple DNS traces collected from different sources including a campus network and large ISP networks. The evaluation shows that BotGAD can automatically detect botnets while providing real-time monitoring in large scale networks.
KW - Botnet
KW - DNS
KW - Group activity
UR - http://www.scopus.com/inward/record.url?scp=84655163180&partnerID=8YFLogxK
U2 - 10.1016/j.comnet.2011.07.018
DO - 10.1016/j.comnet.2011.07.018
M3 - Article
AN - SCOPUS:84655163180
VL - 56
SP - 20
EP - 33
JO - Computer Networks
JF - Computer Networks
SN - 1389-1286
IS - 1
ER -