DNS Traffic analysis for botnet detection

Botnets pose a major threat to cyber security. Given that firewalls typically prevent unsolicited incoming traffic from reaching hosts internal to the local area network, it is up to each bot to initiate a connection with its remote Command and Control (C&C) server. To perform this task a bot can use either a hardcoded IP address or perform a DNS lookup for a predefined or algorithmically-generated domain name. Modern malware increasingly utilizes DNS to enhance the overall availability and reliability of the C&C communication channel. In this paper we present a prototype botnet detection system that leverages passive DNS traffic analysis to detect a botnet’s presence in a local area network. A naive Bayes classifier is trained on features extracted from both benign and malicious DNS traffic traces and its performance is evaluated. Since the proposed method relies on DNS traffic, it permits the early detection of bots on the network. In addition, the method does not depend on the number of bots operating in the local network and is effective when only a small number of infected machines are present

DNS Traffic analysis for botnet detection

Botnets pose a major threat to cyber security. Given that firewalls typically prevent unsolicited incoming traffic from reaching hosts internal to the local area network, it is up to each bot to initiate a connection with its remote Command and Control (C&C) server. To perform this task a bot can use either a hardcoded IP address or perform a DNS lookup for a predefined or algorithmically-generated domain name. Modern malware increasingly utilizes DNS to enhance the overall availability and reliability of the C&C communication channel. In this paper we present a prototype botnet detection system that leverages passive DNS traffic analysis to detect a botnet’s presence in a local area network. A naive Bayes classifier is trained on features extracted from both benign and malicious DNS traffic traces and its performance is evaluated. Since the proposed method relies on DNS traffic, it permits the early detection of bots on the network. In addition, the method does not depend on the number of bots operating in the local network and is effective when only a small number of infected machines are present