Abstract
A new DNS-based anti-evasion technique for botnets detection in the corporate area networks is proposed. Combining of the passive DNS monitoring and active DNS probing have made it possible to construct effective BotGRABBER detection system for botnets, which uses such evasion techniques as cycling of IP mapping, “domain flux”, “fast flux”, DNS-tunneling. BotGRABBER system is based on a cluster analysis of the features obtained from the payload of DNS-messages and uses active probing analysis. Usage of the developed method makes it possible to detect infected hosts by bots of the botnets with high efficiency.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
DAMBALLA. Botnet Detection for Communications Service Providers. https://www.damballa.com/downloads/r_pubs/WP_Botnet_Detection_for_CSPs.pdf
Sochor, T., Zuzcak, M.: Study of internet threats and attack methods using honeypots and honeynets. In: Kwiecień, A., Gaj, P., Stera, P. (eds.) CN 2014. CCIS, vol. 431, pp. 118–127. Springer, Heidelberg (2014)
Sochor, T., Zuzcak, M.: Attractiveness study of honeypots and honeynets in internet threat detection. In: Gaj, P., Kwiecień, A., Stera, P. (eds.) CN 2015. CCIS, vol. 522, pp. 69–81. Springer, Heidelberg (2015)
Yadav, S., Reddy, A.L.N.: Winning with DNS failures: strategies for faster botnet detection. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 446–459. Springer, Heidelberg (2012)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS, pp. 1–17 (2011)
Lin, H.T., Lin, Y.Y., Chiang, J.W.: Genetic-based real-time fast-flux service networks detection. Comput. Netw. 57(2), 501–513 (2013). Elsevier
Zhao, Y., Jin, Z.: Quickly identifying FFSN domain and CDN domain with little dataset. In: 4th International Conference on Mechatronics, Materials, Chemistry and Computer Engineering (ICMMCCE 2015), pp. 1999–2004 (2015)
Farnham, G., Atlasis, A.: Detecting DNS tunneling. SANS Institute InfoSec Reading Room, pp. 1–32 (2013)
Ichise, H., Yong, J., Iida, K.: Detection method of DNS-based botnet communication using obtained NS record history. In: Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, vol. 3, pp. 676–677 (2015)
Yong, J., Ichise, H., Iida, K.: Design of detecting botnet communication by monitoring direct outbound DNS queries. In: 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 37–41 (2015)
Rincon, S.R., Vaton, S., Beugnard, A., Garlatti, S.: Semantics based analysis of botnet activity from heterogeneous data sources. In: Wireless Communications and Mobile Computing Conference (IWCMC), 2015 International, pp. 391–396 (2015)
Ichise, H., Yong, J., Iida, K.: Analysis of via-resolver DNS TXT queries and detection possibility of botnet communications. In: 2015 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM), pp. 216–221 (2015)
Lysenko, S., Pomorova, O., Savenko, O., Kryshchuk, A., Bobrovnikova, K.: DNS-based anti-evasion technique for botnets detection. In: Proceedings of the 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), IDAAACS-2015, Warsaw, Poland, vol. 1, pp. 453–458, September 2015
Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: Conference on Malicious and Unwanted Software (Malware 2008), pp. 24–31 (2008)
Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., van Steen, M., Pohlmann, N.: On botnets that use DNS for command and control. In: Proceedings of European Conference on Computer Network Defense, pp. 9–16 (2011)
Pomorova, O., Savenko, O., Lysenko, S., Kryshchuk, A., Bobrovnikova, K.: A technique for the botnet detection based on DNS-traffic analysis. In: Gaj, P., Kwiecień, A., Stera, P. (eds.) CN 2015. CCIS, vol. 522, pp. 127–138. Springer, Heidelberg (2015)
Acknowledgements
This research was supported by a TEMPUS SEREIN project (Project reference number 543968-TEMPUS-1-2013-1-EE-TEMPUS-JPCP). Additionally, we thank the Khmelnytsky National University for providing access to their DNS-traffic during the early phases of this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Pomorova, O., Savenko, O., Lysenko, S., Kryshchuk, A., Bobrovnikova, K. (2016). Anti-evasion Technique for the Botnets Detection Based on the Passive DNS Monitoring and Active DNS Probing. In: Gaj, P., Kwiecień, A., Stera, P. (eds) Computer Networks. CN 2016. Communications in Computer and Information Science, vol 608. Springer, Cham. https://doi.org/10.1007/978-3-319-39207-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-39207-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-39206-6
Online ISBN: 978-3-319-39207-3
eBook Packages: Computer ScienceComputer Science (R0)