DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis
Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, w...
Gespeichert in:
| Veröffentlicht in: | Computers & security 2017-01, Vol.64, p.1-15 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 15 |
|---|---|
| container_issue | |
| container_start_page | 1 |
| container_title | Computers & security |
| container_volume | 64 |
| creator | Wang, Tzy-Shiah Lin, Hui-Tang Cheng, Wei-Tsung Chen, Chang-Yu |
| description | Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In such botnets, the DGA is used to generate a huge list of candidate Command and Control (C&C) server domains, and the bot then attempts to connect to an active C&C server by querying each DNS server in turn. DGA-based botnets are highly elusive and difficult to detect using traditional defensive mechanisms and therefore have a high survivability. Accordingly, this study proposes a DGA-based botnet detection scheme designated as DBod based on an analysis of the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very limited number of the domains are actually associated with an active C&C. The feasibility of the proposed method is evaluated using the DNS data collected from an education network environment over a period of 26 months. The results show that DBod provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks. |
| doi_str_mv | 10.1016/j.cose.2016.10.001 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_miscellaneous_1864579766</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167404816301250</els_id><sourcerecordid>2088780858</sourcerecordid><originalsourceid>FETCH-LOGICAL-c508t-7b44713dede8bd8c7f94f86bf340145d09501dab010b4f96470644dbad9948ce3</originalsourceid><addsrcrecordid>eNp9kTtPwzAUhS0EEqXwB5gisbCk2KljO4iltLxEBQMwW459g1ylSfFNkPrvcSgTQxc_jr9zZZ1DyDmjE0aZuFpNbIswyeI5ChNK2QEZMSWzVGRUHZJRfJApp1wdkxPEVQSkUGpEnhe3rbtO5nWPHQTffCamcYmDDmw33BYPs7Q0CC4p266BDpMef_WXt6QLpqq8jQ5Tb9HjKTmqTI1w9rePycf93fv8MV2-PjzNZ8vU5lR1qSw5l2zqwIEqnbKyKnilRFlNOWU8d7TIKXOmpIyWvCoEl1Rw7krjioIrC9MxudzN3YT2qwfs9Nqjhbo2DbQ9aqYEz2UhhYjoxT901fYh_hd1zEVJRVWu9lFM8YzHhdNIZTvKhhYxQKU3wa9N2GpG9dCCXumhBT20MGgx5Gi62ZkgBvLtIWi0HhoLzocYsXat32f_AbKfjaE</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1842418440</pqid></control><display><type>article</type><title>DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis</title><source>Elsevier ScienceDirect Journals Complete</source><creator>Wang, Tzy-Shiah ; Lin, Hui-Tang ; Cheng, Wei-Tsung ; Chen, Chang-Yu</creator><creatorcontrib>Wang, Tzy-Shiah ; Lin, Hui-Tang ; Cheng, Wei-Tsung ; Chen, Chang-Yu</creatorcontrib><description>Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In such botnets, the DGA is used to generate a huge list of candidate Command and Control (C&C) server domains, and the bot then attempts to connect to an active C&C server by querying each DNS server in turn. DGA-based botnets are highly elusive and difficult to detect using traditional defensive mechanisms and therefore have a high survivability. Accordingly, this study proposes a DGA-based botnet detection scheme designated as DBod based on an analysis of the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very limited number of the domains are actually associated with an active C&C. The feasibility of the proposed method is evaluated using the DNS data collected from an education network environment over a period of 26 months. The results show that DBod provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2016.10.001</identifier><identifier>CODEN: CPSEDU</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Algorithms ; Botnet detection mechanism ; Clustering ; Computer information security ; Computer viruses ; Cybersecurity ; Denial of service attacks ; Domain generation algorithm ; Domain names ; Feasibility studies ; Intrusion detection systems ; Lists ; Malware ; Name error response ; Network security ; Networks ; Phishing ; Query processing ; Servers ; Studies ; Traffic analysis ; Traffic engineering</subject><ispartof>Computers & security, 2017-01, Vol.64, p.1-15</ispartof><rights>2016 Elsevier Ltd</rights><rights>Copyright Elsevier Sequoia S.A. Jan 2017</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c508t-7b44713dede8bd8c7f94f86bf340145d09501dab010b4f96470644dbad9948ce3</citedby><cites>FETCH-LOGICAL-c508t-7b44713dede8bd8c7f94f86bf340145d09501dab010b4f96470644dbad9948ce3</cites><orcidid>0000-0002-3183-5727</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.sciencedirect.com/science/article/pii/S0167404816301250$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,776,780,3537,27901,27902,65534</link.rule.ids></links><search><creatorcontrib>Wang, Tzy-Shiah</creatorcontrib><creatorcontrib>Lin, Hui-Tang</creatorcontrib><creatorcontrib>Cheng, Wei-Tsung</creatorcontrib><creatorcontrib>Chen, Chang-Yu</creatorcontrib><title>DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis</title><title>Computers & security</title><description>Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In such botnets, the DGA is used to generate a huge list of candidate Command and Control (C&C) server domains, and the bot then attempts to connect to an active C&C server by querying each DNS server in turn. DGA-based botnets are highly elusive and difficult to detect using traditional defensive mechanisms and therefore have a high survivability. Accordingly, this study proposes a DGA-based botnet detection scheme designated as DBod based on an analysis of the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very limited number of the domains are actually associated with an active C&C. The feasibility of the proposed method is evaluated using the DNS data collected from an education network environment over a period of 26 months. The results show that DBod provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks.</description><subject>Algorithms</subject><subject>Botnet detection mechanism</subject><subject>Clustering</subject><subject>Computer information security</subject><subject>Computer viruses</subject><subject>Cybersecurity</subject><subject>Denial of service attacks</subject><subject>Domain generation algorithm</subject><subject>Domain names</subject><subject>Feasibility studies</subject><subject>Intrusion detection systems</subject><subject>Lists</subject><subject>Malware</subject><subject>Name error response</subject><subject>Network security</subject><subject>Networks</subject><subject>Phishing</subject><subject>Query processing</subject><subject>Servers</subject><subject>Studies</subject><subject>Traffic analysis</subject><subject>Traffic engineering</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2017</creationdate><recordtype>article</recordtype><recordid>eNp9kTtPwzAUhS0EEqXwB5gisbCk2KljO4iltLxEBQMwW459g1ylSfFNkPrvcSgTQxc_jr9zZZ1DyDmjE0aZuFpNbIswyeI5ChNK2QEZMSWzVGRUHZJRfJApp1wdkxPEVQSkUGpEnhe3rbtO5nWPHQTffCamcYmDDmw33BYPs7Q0CC4p266BDpMef_WXt6QLpqq8jQ5Tb9HjKTmqTI1w9rePycf93fv8MV2-PjzNZ8vU5lR1qSw5l2zqwIEqnbKyKnilRFlNOWU8d7TIKXOmpIyWvCoEl1Rw7krjioIrC9MxudzN3YT2qwfs9Nqjhbo2DbQ9aqYEz2UhhYjoxT901fYh_hd1zEVJRVWu9lFM8YzHhdNIZTvKhhYxQKU3wa9N2GpG9dCCXumhBT20MGgx5Gi62ZkgBvLtIWi0HhoLzocYsXat32f_AbKfjaE</recordid><startdate>201701</startdate><enddate>201701</enddate><creator>Wang, Tzy-Shiah</creator><creator>Lin, Hui-Tang</creator><creator>Cheng, Wei-Tsung</creator><creator>Chen, Chang-Yu</creator><general>Elsevier Ltd</general><general>Elsevier Sequoia S.A</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0002-3183-5727</orcidid></search><sort><creationdate>201701</creationdate><title>DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis</title><author>Wang, Tzy-Shiah ; Lin, Hui-Tang ; Cheng, Wei-Tsung ; Chen, Chang-Yu</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c508t-7b44713dede8bd8c7f94f86bf340145d09501dab010b4f96470644dbad9948ce3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2017</creationdate><topic>Algorithms</topic><topic>Botnet detection mechanism</topic><topic>Clustering</topic><topic>Computer information security</topic><topic>Computer viruses</topic><topic>Cybersecurity</topic><topic>Denial of service attacks</topic><topic>Domain generation algorithm</topic><topic>Domain names</topic><topic>Feasibility studies</topic><topic>Intrusion detection systems</topic><topic>Lists</topic><topic>Malware</topic><topic>Name error response</topic><topic>Network security</topic><topic>Networks</topic><topic>Phishing</topic><topic>Query processing</topic><topic>Servers</topic><topic>Studies</topic><topic>Traffic analysis</topic><topic>Traffic engineering</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Wang, Tzy-Shiah</creatorcontrib><creatorcontrib>Lin, Hui-Tang</creatorcontrib><creatorcontrib>Cheng, Wei-Tsung</creatorcontrib><creatorcontrib>Chen, Chang-Yu</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers & security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Wang, Tzy-Shiah</au><au>Lin, Hui-Tang</au><au>Cheng, Wei-Tsung</au><au>Chen, Chang-Yu</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis</atitle><jtitle>Computers & security</jtitle><date>2017-01</date><risdate>2017</risdate><volume>64</volume><spage>1</spage><epage>15</epage><pages>1-15</pages><issn>0167-4048</issn><eissn>1872-6208</eissn><coden>CPSEDU</coden><abstract>Botnets are one of the leading threats to network security nowadays and are used to conduct a wide variety of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Among the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In such botnets, the DGA is used to generate a huge list of candidate Command and Control (C&C) server domains, and the bot then attempts to connect to an active C&C server by querying each DNS server in turn. DGA-based botnets are highly elusive and difficult to detect using traditional defensive mechanisms and therefore have a high survivability. Accordingly, this study proposes a DGA-based botnet detection scheme designated as DBod based on an analysis of the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very limited number of the domains are actually associated with an active C&C. The feasibility of the proposed method is evaluated using the DNS data collected from an education network environment over a period of 26 months. The results show that DBod provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2016.10.001</doi><tpages>15</tpages><orcidid>https://orcid.org/0000-0002-3183-5727</orcidid></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0167-4048 |
| ispartof | Computers & security, 2017-01, Vol.64, p.1-15 |
| issn | 0167-4048 1872-6208 |
| language | eng |
| recordid | cdi_proquest_miscellaneous_1864579766 |
| source | Elsevier ScienceDirect Journals Complete |
| subjects | Algorithms Botnet detection mechanism Clustering Computer information security Computer viruses Cybersecurity Denial of service attacks Domain generation algorithm Domain names Feasibility studies Intrusion detection systems Lists Malware Name error response Network security Networks Phishing Query processing Servers Studies Traffic analysis Traffic engineering |
| title | DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-14T10%3A19%3A30IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=DBod:%20Clustering%20and%20detecting%20DGA-based%20botnets%20using%20DNS%20traffic%20analysis&rft.jtitle=Computers%20&%20security&rft.au=Wang,%20Tzy-Shiah&rft.date=2017-01&rft.volume=64&rft.spage=1&rft.epage=15&rft.pages=1-15&rft.issn=0167-4048&rft.eissn=1872-6208&rft.coden=CPSEDU&rft_id=info:doi/10.1016/j.cose.2016.10.001&rft_dat=%3Cproquest_cross%3E2088780858%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1842418440&rft_id=info:pmid/&rft_els_id=S0167404816301250&rfr_iscdi=true |