PsyBoG: Power spectral density analysis for detecting botnet groups

Jonghoon Kwon, Jeongsik Kim, Jehyun Lee, Heejo Lee, Adrian Perrig

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    11 Citations (Scopus)

    Abstract

    Botnets are widely used for acquiring economic profits, by launching attacks such as distributed denial-of-service (DDoS), identification theft, ad-ware installation, mass spamming, and click frauds. Many approaches have been proposed to detect botnet, which rely on end-host installations or operate on network traffic with deep packet inspection. They have limitations for detecting botnets which use evasion techniques such as packet encryption, fast flux, dynamic DNS and DGA. Sporadic botnet behavior caused by disconnecting the power of system or botnet's own nature also brings unignorable false detection. Furthermore, normal user's traffic causes a lot of false alarms. In this paper, we propose a novel approach called PsyBoG to detect botnets by capturing periodic activities. PsyBoG leverages signal processing techniques, PSD (Power Spectral Density) analysis, to discover the major frequencies from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets irrespective of their evasion techniques, sporadic behavior and even the noise traffic generated by normal users. To evaluate PsyBoG, we utilize the real-world DNS traces collected from a/16 campus network including more than 48,046K queries, 34K distinct IP addresses and 146K domains. Finally, PsyBoG caught 19 unknown and 6 known botnet groups with 0.1% false positives.

    Original languageEnglish
    Title of host publicationProceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages85-92
    Number of pages8
    ISBN (Electronic)9781479973293
    DOIs
    Publication statusPublished - 2014 Dec 29
    Event9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014 - Fajardo, Puerto Rico
    Duration: 2014 Oct 282014 Oct 30

    Publication series

    NameProceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014

    Other

    Other9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
    Country/TerritoryPuerto Rico
    CityFajardo
    Period14/10/2814/10/30

    Keywords

    • Botnet detection
    • Group Activity
    • Power Spectral Density

    ASJC Scopus subject areas

    • Artificial Intelligence
    • Visual Arts and Performing Arts

    Fingerprint

    Dive into the research topics of 'PsyBoG: Power spectral density analysis for detecting botnet groups'. Together they form a unique fingerprint.

    Cite this