PsyBoG

Power spectral density analysis for detecting botnet groups

Jonghoon Kwon, Jeongsik Kim, Jehyun Lee, Heejo Lee, Adrian Perrig

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Botnets are widely used for acquiring economic profits, by launching attacks such as distributed denial-of-service (DDoS), identification theft, ad-ware installation, mass spamming, and click frauds. Many approaches have been proposed to detect botnet, which rely on end-host installations or operate on network traffic with deep packet inspection. They have limitations for detecting botnets which use evasion techniques such as packet encryption, fast flux, dynamic DNS and DGA. Sporadic botnet behavior caused by disconnecting the power of system or botnet's own nature also brings unignorable false detection. Furthermore, normal user's traffic causes a lot of false alarms. In this paper, we propose a novel approach called PsyBoG to detect botnets by capturing periodic activities. PsyBoG leverages signal processing techniques, PSD (Power Spectral Density) analysis, to discover the major frequencies from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets irrespective of their evasion techniques, sporadic behavior and even the noise traffic generated by normal users. To evaluate PsyBoG, we utilize the real-world DNS traces collected from a/16 campus network including more than 48,046K queries, 34K distinct IP addresses and 146K domains. Finally, PsyBoG caught 19 unknown and 6 known botnet groups with 0.1% false positives.

Original languageEnglish
Title of host publicationProceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages85-92
Number of pages8
ISBN (Print)9781479973293
DOIs
Publication statusPublished - 2014 Dec 29
Event9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014 - Fajardo, Puerto Rico
Duration: 2014 Oct 282014 Oct 30

Other

Other9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
CountryPuerto Rico
CityFajardo
Period14/10/2814/10/30

Fingerprint

Power spectral density
Spamming
Botnet
Spectrality
Traffic
Launching
Cryptography
Evasion
Profitability
Signal processing
Computer systems
Inspection
Fluxes
Economics

Keywords

  • Botnet detection
  • Group Activity
  • Power Spectral Density

ASJC Scopus subject areas

  • Artificial Intelligence
  • Visual Arts and Performing Arts

Cite this

Kwon, J., Kim, J., Lee, J., Lee, H., & Perrig, A. (2014). PsyBoG: Power spectral density analysis for detecting botnet groups. In Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014 (pp. 85-92). [6999414] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/MALWARE.2014.6999414

PsyBoG : Power spectral density analysis for detecting botnet groups. / Kwon, Jonghoon; Kim, Jeongsik; Lee, Jehyun; Lee, Heejo; Perrig, Adrian.

Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014. Institute of Electrical and Electronics Engineers Inc., 2014. p. 85-92 6999414.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kwon, J, Kim, J, Lee, J, Lee, H & Perrig, A 2014, PsyBoG: Power spectral density analysis for detecting botnet groups. in Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014., 6999414, Institute of Electrical and Electronics Engineers Inc., pp. 85-92, 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014, Fajardo, Puerto Rico, 14/10/28. https://doi.org/10.1109/MALWARE.2014.6999414
Kwon J, Kim J, Lee J, Lee H, Perrig A. PsyBoG: Power spectral density analysis for detecting botnet groups. In Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014. Institute of Electrical and Electronics Engineers Inc. 2014. p. 85-92. 6999414 https://doi.org/10.1109/MALWARE.2014.6999414
Kwon, Jonghoon ; Kim, Jeongsik ; Lee, Jehyun ; Lee, Heejo ; Perrig, Adrian. / PsyBoG : Power spectral density analysis for detecting botnet groups. Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014. Institute of Electrical and Electronics Engineers Inc., 2014. pp. 85-92
@inproceedings{b75acafbef444f99a451300495a4065d,
title = "PsyBoG: Power spectral density analysis for detecting botnet groups",
abstract = "Botnets are widely used for acquiring economic profits, by launching attacks such as distributed denial-of-service (DDoS), identification theft, ad-ware installation, mass spamming, and click frauds. Many approaches have been proposed to detect botnet, which rely on end-host installations or operate on network traffic with deep packet inspection. They have limitations for detecting botnets which use evasion techniques such as packet encryption, fast flux, dynamic DNS and DGA. Sporadic botnet behavior caused by disconnecting the power of system or botnet's own nature also brings unignorable false detection. Furthermore, normal user's traffic causes a lot of false alarms. In this paper, we propose a novel approach called PsyBoG to detect botnets by capturing periodic activities. PsyBoG leverages signal processing techniques, PSD (Power Spectral Density) analysis, to discover the major frequencies from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets irrespective of their evasion techniques, sporadic behavior and even the noise traffic generated by normal users. To evaluate PsyBoG, we utilize the real-world DNS traces collected from a/16 campus network including more than 48,046K queries, 34K distinct IP addresses and 146K domains. Finally, PsyBoG caught 19 unknown and 6 known botnet groups with 0.1{\%} false positives.",
keywords = "Botnet detection, Group Activity, Power Spectral Density",
author = "Jonghoon Kwon and Jeongsik Kim and Jehyun Lee and Heejo Lee and Adrian Perrig",
year = "2014",
month = "12",
day = "29",
doi = "10.1109/MALWARE.2014.6999414",
language = "English",
isbn = "9781479973293",
pages = "85--92",
booktitle = "Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - PsyBoG

T2 - Power spectral density analysis for detecting botnet groups

AU - Kwon, Jonghoon

AU - Kim, Jeongsik

AU - Lee, Jehyun

AU - Lee, Heejo

AU - Perrig, Adrian

PY - 2014/12/29

Y1 - 2014/12/29

N2 - Botnets are widely used for acquiring economic profits, by launching attacks such as distributed denial-of-service (DDoS), identification theft, ad-ware installation, mass spamming, and click frauds. Many approaches have been proposed to detect botnet, which rely on end-host installations or operate on network traffic with deep packet inspection. They have limitations for detecting botnets which use evasion techniques such as packet encryption, fast flux, dynamic DNS and DGA. Sporadic botnet behavior caused by disconnecting the power of system or botnet's own nature also brings unignorable false detection. Furthermore, normal user's traffic causes a lot of false alarms. In this paper, we propose a novel approach called PsyBoG to detect botnets by capturing periodic activities. PsyBoG leverages signal processing techniques, PSD (Power Spectral Density) analysis, to discover the major frequencies from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets irrespective of their evasion techniques, sporadic behavior and even the noise traffic generated by normal users. To evaluate PsyBoG, we utilize the real-world DNS traces collected from a/16 campus network including more than 48,046K queries, 34K distinct IP addresses and 146K domains. Finally, PsyBoG caught 19 unknown and 6 known botnet groups with 0.1% false positives.

AB - Botnets are widely used for acquiring economic profits, by launching attacks such as distributed denial-of-service (DDoS), identification theft, ad-ware installation, mass spamming, and click frauds. Many approaches have been proposed to detect botnet, which rely on end-host installations or operate on network traffic with deep packet inspection. They have limitations for detecting botnets which use evasion techniques such as packet encryption, fast flux, dynamic DNS and DGA. Sporadic botnet behavior caused by disconnecting the power of system or botnet's own nature also brings unignorable false detection. Furthermore, normal user's traffic causes a lot of false alarms. In this paper, we propose a novel approach called PsyBoG to detect botnets by capturing periodic activities. PsyBoG leverages signal processing techniques, PSD (Power Spectral Density) analysis, to discover the major frequencies from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets irrespective of their evasion techniques, sporadic behavior and even the noise traffic generated by normal users. To evaluate PsyBoG, we utilize the real-world DNS traces collected from a/16 campus network including more than 48,046K queries, 34K distinct IP addresses and 146K domains. Finally, PsyBoG caught 19 unknown and 6 known botnet groups with 0.1% false positives.

KW - Botnet detection

KW - Group Activity

KW - Power Spectral Density

UR - http://www.scopus.com/inward/record.url?scp=84922569469&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84922569469&partnerID=8YFLogxK

U2 - 10.1109/MALWARE.2014.6999414

DO - 10.1109/MALWARE.2014.6999414

M3 - Conference contribution

SN - 9781479973293

SP - 85

EP - 92

BT - Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014

PB - Institute of Electrical and Electronics Engineers Inc.

ER -