Detecting domain‐flux botnet based on DNS traffic features in managed network

Modern botnets such as Zeus and Conficker commonly utilize a technique called domain fluxing or a domain generation algorithm to generate a large number of pseudo‐random domain names (PDNs) dynamically for botnet operators to control their bots. These botnets are becoming one of the most serious thr...

Full description

Saved in:
Bibliographic Details
Published in:Security and communication networks 2016-09, Vol.9 (14), p.2338-2347
Main Authors: Truong, Dinh‐Tu, Cheng, Guang
Format: Article
Language:English
Subjects:
Algorithms
botnet
DNS traffic
domain fluxing
Domain names
Feature extraction
Malware
network security
Networks
Security
Traffic engineering
Traffic flow
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Modern botnets such as Zeus and Conficker commonly utilize a technique called domain fluxing or a domain generation algorithm to generate a large number of pseudo‐random domain names (PDNs) dynamically for botnet operators to control their bots. These botnets are becoming one of the most serious threats to Internet security on a global scale. How to prevent their destructive action is one of the most pressing issues of today. In this paper, we focus on detecting domain‐flux botnets within the monitored network based on Domain Name System (DNS) traffic features. This method passively captures all DNS traffic from the gateway of a monitored network and then extracts key features to identify PDN. Based on examining and analyzing a large number of legitimate domains as well as PDN generated by botnets, we have discovered that there is a discernible bias in the rules for constructing domain names. Therefore, we introduce a methodology that analyzes DNS traffic to extract the length and the expected value, which can distinguish between a domain name generated by humans or bots. In order to evaluate the effectiveness of the proposed approach, various machine learning algorithms are applied to train predictive models for our detection system. This proposed scheme is implemented and tested in a real local area network. The experimental results show that our proposed method achieves the highest detective efficiency for decision tree algorithms (J48) with an average overall accuracy of up to 92.3% and a false positive rate of 4.8%. Copyright © 2016 John Wiley & Sons, Ltd. This work presents a method based on analyzing DNS traffic to detect domain‐flux botnets. This method passively captures all DNS traffic from the gateway of a monitored network. Then we extract key features to distinguish between a domain name generated by humans or bots, and based on these features, we apply various machine learning algorithms to train predictive models for detection.
ISSN:1939-0114
1939-0122
DOI:10.1002/sec.1495