PsyBoG: A scalable botnet detection method for large-scale DNS traffic

Jonghoon Kwon, Jehyun Lee, Heejo Lee, Adrian Perrig

Research output: Contribution to journalArticle

43 Citations (Scopus)

Abstract

Domain Name System (DNS) traffic has become a rich source of information from a security perspective. However, the volume of DNS traffic has been skyrocketing, such that security analyzers experience difficulties in collecting, retrieving, and analyzing the DNS traffic in response to modern Internet threats. More precisely, much of the research relating to DNS has been negatively affected by the dramatic increase in the number of queries and domains. This phenomenon has necessitated a scalable approach, which is not dependent on the volume of DNS traffic. In this paper, we introduce a fast and scalable approach, called PsyBoG, for detecting malicious behavior within large volumes of DNS traffic. PsyBoG leverages a signal processing technique, power spectral density (PSD) analysis, to discover the major frequencies resulting from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets regardless of their evasive techniques, sporadic behavior, and even normal users' traffic. Furthermore, our method allows us to deal with large-scale DNS data by only utilizing the timing information of query generation regardless of the number of queries and domains. Finally, PsyBoG discovers groups of hosts which show similar patterns of malicious behavior. PsyBoG was evaluated by conducting experiments with two different data sets, namely DNS traces generated by real malware in controlled environments and a large number of real-world DNS traces collected from a recursive DNS server, an authoritative DNS server, and Top-Level Domain (TLD) servers. We utilized the malware traces as the ground truth, and, as a result, PsyBoG performed with a detection accuracy of 95%. By using a large number of DNS traces, we were able to demonstrate the scalability and effectiveness of PsyBoG in terms of practical usage. Finally, PsyBoG detected 23 unknown and 26 known botnet groups with 0.1% false positives.

Original languageEnglish
Pages (from-to)48-73
Number of pages26
JournalComputer Networks
Volume97
DOIs
Publication statusPublished - 2016 Mar 14

Fingerprint

Servers
Power spectral density
Telecommunication traffic
Scalability
Signal processing
Internet
Botnet
Experiments
Malware

Keywords

  • Botnet detection
  • DNS analysis
  • Group activity
  • Network security
  • Power spectral density

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

PsyBoG : A scalable botnet detection method for large-scale DNS traffic. / Kwon, Jonghoon; Lee, Jehyun; Lee, Heejo; Perrig, Adrian.

In: Computer Networks, Vol. 97, 14.03.2016, p. 48-73.

Research output: Contribution to journalArticle

Kwon, Jonghoon ; Lee, Jehyun ; Lee, Heejo ; Perrig, Adrian. / PsyBoG : A scalable botnet detection method for large-scale DNS traffic. In: Computer Networks. 2016 ; Vol. 97. pp. 48-73.
@article{9b6fbb53649d458384fa5d83d05062f7,
title = "PsyBoG: A scalable botnet detection method for large-scale DNS traffic",
abstract = "Domain Name System (DNS) traffic has become a rich source of information from a security perspective. However, the volume of DNS traffic has been skyrocketing, such that security analyzers experience difficulties in collecting, retrieving, and analyzing the DNS traffic in response to modern Internet threats. More precisely, much of the research relating to DNS has been negatively affected by the dramatic increase in the number of queries and domains. This phenomenon has necessitated a scalable approach, which is not dependent on the volume of DNS traffic. In this paper, we introduce a fast and scalable approach, called PsyBoG, for detecting malicious behavior within large volumes of DNS traffic. PsyBoG leverages a signal processing technique, power spectral density (PSD) analysis, to discover the major frequencies resulting from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets regardless of their evasive techniques, sporadic behavior, and even normal users' traffic. Furthermore, our method allows us to deal with large-scale DNS data by only utilizing the timing information of query generation regardless of the number of queries and domains. Finally, PsyBoG discovers groups of hosts which show similar patterns of malicious behavior. PsyBoG was evaluated by conducting experiments with two different data sets, namely DNS traces generated by real malware in controlled environments and a large number of real-world DNS traces collected from a recursive DNS server, an authoritative DNS server, and Top-Level Domain (TLD) servers. We utilized the malware traces as the ground truth, and, as a result, PsyBoG performed with a detection accuracy of 95{\%}. By using a large number of DNS traces, we were able to demonstrate the scalability and effectiveness of PsyBoG in terms of practical usage. Finally, PsyBoG detected 23 unknown and 26 known botnet groups with 0.1{\%} false positives.",
keywords = "Botnet detection, DNS analysis, Group activity, Network security, Power spectral density",
author = "Jonghoon Kwon and Jehyun Lee and Heejo Lee and Adrian Perrig",
year = "2016",
month = "3",
day = "14",
doi = "10.1016/j.comnet.2015.12.008",
language = "English",
volume = "97",
pages = "48--73",
journal = "Computer Networks",
issn = "1389-1286",
publisher = "Elsevier",

}

TY - JOUR

T1 - PsyBoG

T2 - A scalable botnet detection method for large-scale DNS traffic

AU - Kwon, Jonghoon

AU - Lee, Jehyun

AU - Lee, Heejo

AU - Perrig, Adrian

PY - 2016/3/14

Y1 - 2016/3/14

N2 - Domain Name System (DNS) traffic has become a rich source of information from a security perspective. However, the volume of DNS traffic has been skyrocketing, such that security analyzers experience difficulties in collecting, retrieving, and analyzing the DNS traffic in response to modern Internet threats. More precisely, much of the research relating to DNS has been negatively affected by the dramatic increase in the number of queries and domains. This phenomenon has necessitated a scalable approach, which is not dependent on the volume of DNS traffic. In this paper, we introduce a fast and scalable approach, called PsyBoG, for detecting malicious behavior within large volumes of DNS traffic. PsyBoG leverages a signal processing technique, power spectral density (PSD) analysis, to discover the major frequencies resulting from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets regardless of their evasive techniques, sporadic behavior, and even normal users' traffic. Furthermore, our method allows us to deal with large-scale DNS data by only utilizing the timing information of query generation regardless of the number of queries and domains. Finally, PsyBoG discovers groups of hosts which show similar patterns of malicious behavior. PsyBoG was evaluated by conducting experiments with two different data sets, namely DNS traces generated by real malware in controlled environments and a large number of real-world DNS traces collected from a recursive DNS server, an authoritative DNS server, and Top-Level Domain (TLD) servers. We utilized the malware traces as the ground truth, and, as a result, PsyBoG performed with a detection accuracy of 95%. By using a large number of DNS traces, we were able to demonstrate the scalability and effectiveness of PsyBoG in terms of practical usage. Finally, PsyBoG detected 23 unknown and 26 known botnet groups with 0.1% false positives.

AB - Domain Name System (DNS) traffic has become a rich source of information from a security perspective. However, the volume of DNS traffic has been skyrocketing, such that security analyzers experience difficulties in collecting, retrieving, and analyzing the DNS traffic in response to modern Internet threats. More precisely, much of the research relating to DNS has been negatively affected by the dramatic increase in the number of queries and domains. This phenomenon has necessitated a scalable approach, which is not dependent on the volume of DNS traffic. In this paper, we introduce a fast and scalable approach, called PsyBoG, for detecting malicious behavior within large volumes of DNS traffic. PsyBoG leverages a signal processing technique, power spectral density (PSD) analysis, to discover the major frequencies resulting from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets regardless of their evasive techniques, sporadic behavior, and even normal users' traffic. Furthermore, our method allows us to deal with large-scale DNS data by only utilizing the timing information of query generation regardless of the number of queries and domains. Finally, PsyBoG discovers groups of hosts which show similar patterns of malicious behavior. PsyBoG was evaluated by conducting experiments with two different data sets, namely DNS traces generated by real malware in controlled environments and a large number of real-world DNS traces collected from a recursive DNS server, an authoritative DNS server, and Top-Level Domain (TLD) servers. We utilized the malware traces as the ground truth, and, as a result, PsyBoG performed with a detection accuracy of 95%. By using a large number of DNS traces, we were able to demonstrate the scalability and effectiveness of PsyBoG in terms of practical usage. Finally, PsyBoG detected 23 unknown and 26 known botnet groups with 0.1% false positives.

KW - Botnet detection

KW - DNS analysis

KW - Group activity

KW - Network security

KW - Power spectral density

UR - http://www.scopus.com/inward/record.url?scp=84956980525&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84956980525&partnerID=8YFLogxK

U2 - 10.1016/j.comnet.2015.12.008

DO - 10.1016/j.comnet.2015.12.008

M3 - Article

AN - SCOPUS:84956980525

VL - 97

SP - 48

EP - 73

JO - Computer Networks

JF - Computer Networks

SN - 1389-1286

ER -