DNS Traffic analysis for botnet detection

Botnets pose a major threat to cyber security. Given that firewalls typically prevent unsolicited incoming traffic from reaching hosts internal to the local area network, it is up to each bot to initiate a connection with its remote Command and Control (C&C) server. To perform this task a bot can use either a hardcoded IP address or perform a DNS lookup for a predefined or algorithmically-generated domain name. Modern malware increasingly utilizes DNS to enhance the overall availability and reliability of the C&C communication channel. In this paper we present a prototype botnet detection system that leverages passive DNS traffic analysis to detect a botnet’s presence in a local area network. A naive Bayes classifier is trained on features extracted from both benign and malicious DNS traffic traces and its performance is evaluated. Since the proposed method relies on DNS traffic, it permits the early detection of bots on the network. In addition, the method does not depend on the number of bots operating in the local network and is effective when only a small number of infected machines are present

Botnet detection from drive-by downloads

The advancement in Information Technology has brought about an advancement in the development and deployment of malware. Bot Malware have brought about immense compromise in computer security. Various ways for the deployment of such bots have been devised by attackers and they are becoming stealthier and more evasive by the day. Detecting such bots has proven to be difficult even though there are various detection techniques. In this work, a packet capturing and analysis technique for detecting host-based bots on their characteristics and behavior is proposed. The system captures network traffic first, to establish normal traffic, then already captured botnet traffic was used to test the system. The system filters out HTTP packets and analyses these packets to further filter out botnet traffic from normal internet traffic. The system was able to detect malicious packets with a False Positive Rate of 0.2 and accuracy of 99.91%

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor