4 research outputs found
Tracking and Characterizing Botnets Using Automatically Generated Domains
Modern botnets rely on domain-generation algorithms (DGAs) to build resilient
command-and-control infrastructures. Recent works focus on recognizing
automatically generated domains (AGDs) from DNS traffic, which potentially
allows to identify previously unknown AGDs to hinder or disrupt botnets'
communication capabilities.
The state-of-the-art approaches require to deploy low-level DNS sensors to
access data whose collection poses practical and privacy issues, making their
adoption problematic. We propose a mechanism that overcomes the above
limitations by analyzing DNS traffic data through a combination of linguistic
and IP-based features of suspicious domains. In this way, we are able to
identify AGD names, characterize their DGAs and isolate logical groups of
domains that represent the respective botnets. Moreover, our system enriches
these groups with new, previously unknown AGD names, and produce novel
knowledge about the evolving behavior of each tracked botnet.
We used our system in real-world settings, to help researchers that requested
intelligence on suspicious domains and were able to label them as belonging to
the correct botnet automatically.
Additionally, we ran an evaluation on 1,153,516 domains, including AGDs from
both modern (e.g., Bamital) and traditional (e.g., Conficker, Torpig) botnets.
Our approach correctly isolated families of AGDs that belonged to distinct
DGAs, and set automatically generated from non-automatically generated domains
apart in 94.8 percent of the cases.Comment: 14 pages, 10 figures, 2 table
Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains
A crucial technical challenge for cybercriminals is to keep control over the
potentially millions of infected devices that build up their botnets, without
compromising the robustness of their attacks. A single, fixed C&C server, for
example, can be trivially detected either by binary or traffic analysis and
immediately sink-holed or taken-down by security researchers or law
enforcement. Botnets often use Domain Generation Algorithms (DGAs), primarily
to evade take-down mechanisms. DGAs enlarge the lifespan of a malware campaign,
thus enhancing its profitability. They can also contribute to hardening attack
attribution. In this work, we introduce HYDRA the most comprehensive and
complete available dataset of Algorithmically-Generated Domains (AGD). The
dataset contains more than 100 DGA families, including both real-world and
adversarial ones. We analyse the dataset and discuss the possibility of
differentiating between benign requests (to real domains) and malicious ones
(to AGDs) in real-time. The simultaneous study of so many families and variants
introduces several challenges; nonetheless, it alleviates biases found in
previous literature that deals with small datasets and exploit some
characteristic features of particular families. To this end, we thoroughly
compare our approach with the current state-of-the-art and highlight some
methodological shortcomings in the actual state of practice. The outcomes
obtained show that our method significantly outperforms the current
state-of-the-art in terms of both accuracy and efficiency.Comment: The dataset of this paper can be found in
https://zenodo.org/record/396539
PASSVM: A Highly Accurate Online Fast Flux Detection System
Fast Flux service networks (FFSNs) are used by adversaries to achieve a high
resilient technique for their malicious servers while keeping them hidden from
direct access. In this technique, a large number of botnet machines, that are
known as flux agents, work as proxies to relay the traffic between end users
and a malicious mothership server which is controlled by an adversary. Various
mechanisms have been proposed for detecting FFSNs. Such mechanisms depend on
collecting a large amount of DNS traffic traces and require a considerable
amount of time to identify fast flux domains. In this paper, we propose an
efficient AI-based online fast flux detection system that performs highly
accurate and extremely fast detection of fast flux domains. The proposed
system, called PASSVM, is based on features that are associated with DNS
response messages of a given domain name. The approach relies on features that
are stored in two local databases, in addition to features that are extracted
from the response DNS messages itself. The information in the databases are
obtained from Censys search engine and IP Geolocation service. PASSVM is
evaluated using three types of artificial neural networks which are: Multilayer
Perceptron (MLP), Radial Basis Function Network (RBF), and Support Vector
Machines (SVM). Results show that SVM with RBF kernel outperformed the other
two methods with an accuracy of 99.557% and a detection time of less than 18
ms.Comment: Submitted to Journal of Network and Systems Managemen
Domain Name System Security and Privacy: A Contemporary Survey
The domain name system (DNS) is one of the most important components of
today's Internet, and is the standard naming convention between human-readable
domain names and machine-routable IP addresses of Internet resources. However,
due to the vulnerability of DNS to various threats, its security and
functionality have been continuously challenged over the course of time.
Although, researchers have addressed various aspects of the DNS in the
literature, there are still many challenges yet to be addressed. In order to
comprehensively understand the root causes of the vulnerabilities of DNS, it is
mandatory to review the various activities in the research community on DNS
landscape. To this end, this paper surveys more than 170 peer-reviewed papers,
which are published in both top conferences and journals in the last ten years,
and summarizes vulnerabilities in DNS and corresponding countermeasures. This
paper not only focuses on the DNS threat landscape and existing challenges, but
also discusses the utilized data analysis methods, which are frequently used to
address DNS threat vulnerabilities. Furthermore, we looked into the DNSthreat
landscape from the viewpoint of the involved entities in the DNS infrastructure
in an attempt to point out more vulnerable entities in the system