Design of Detecting Botnet Communication by Monitoring Direct Outbound DNS Queries

Jin, Yong; Ichise, Hikaru; Iida, Katsuyoshi

doi:10.1109/cscloud.2015.53

Cited by 14 publications

(10 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The evaluation metric was the false positive rate (FPR) in terms of malicious DNS queries, which is presented in Table 8. More specifically, we use the first ten pcap files in log data, which were obtained in our previous study [32]. First, we manually confirmed that the pcap files do not contain any malicious traffic.…”

Section: Discussionmentioning

confidence: 99%

NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking

Ichise

Jin

Iida

et al. 2020

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

DNS (Domain Name System) based name resolution is one of the most fundamental Internet services for both of the Internet users and Internet service providers. In normal DNS based name resolution process, the corresponding NS (Name Server) records are required prior to sending a DNS query to the authoritative DNS servers. However, in recent years, DNS based botnet communication has been observed in which botnet related network traffic is transferred via DNS queries and responses. In particular, it has been observed that, in some types of malware, DNS queries will be sent to the C&C servers using an IP address directly without obtaining the corresponding NS records in advance. In this paper, we propose a novel mechanism to detect and block abnormal DNS traffic by analyzing the achieved NS record history in intranet. In the proposed mechanism, all DNS traffic of an intranet will be captured and analyzed in order to extract the legitimate NS records and the corresponding glue A records (the IP address(es) of a name server) which will be stored in a white list database. Then all the outgoing DNS queries will be checked and those destined to the IP addresses that are not included in the white list will be blocked as abnormal DNS traffic. We have implemented a prototype system and evaluated the functionality in an SDN-based experimental network. The results showed that the prototype system worked well as we expected and accordingly we consider that the proposed mechanism is capable of detecting and blocking some specific types of abnormal DNS-based botnet communication.

show abstract

Section: Discussionmentioning

confidence: 99%

NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking

Ichise

Jin

Iida

et al. 2020

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

show abstract

“…In their further investigation, ~22% of these queries were targeting suspicious URLs identified by virustotal [169]. A similar approach is used by Jin et al in [157], which proposes a novel DNS-based detection approach for detecting botnet activity. The paper focuses on direct outbound DNS queries on non-standard authoritative name servers to identify botnets, which use TXT records to send commands.…”

Section: Domain Name System (Dns) Based Detectionmentioning

confidence: 99%

A Survey on Botnets: Incentives, Evolution, Detection and Current Trends

Stege

El-Habr

et al. 2021

Future Internet

View full text Add to dashboard Cite

Botnets, groups of malware-infected hosts controlled by malicious actors, have gained prominence in an era of pervasive computing and the Internet of Things. Botnets have shown a capacity to perform substantial damage through distributed denial-of-service attacks, information theft, spam and malware propagation. In this paper, a systematic literature review on botnets is presented to the reader in order to obtain an understanding of the incentives, evolution, detection, mitigation and current trends within the field of botnet research in pervasive computing. The literature review focuses particularly on the topic of botnet detection and the proposed solutions to mitigate the threat of botnets in system security. Botnet detection and mitigation mechanisms are categorised and briefly described to allow for an easy overview of the many proposed solutions. The paper also summarises the findings to identify current challenges and trends within research to help identify improvements for further botnet mitigation research.

show abstract

“…al. [8] designed a botnet communication detection method by collecting authoritative NS records and their IP addresses, as well as monitoring direct outbound DNS queries. Their method is based on storing NS records with corresponding IP addresses of valid query response pairs, IP addresses of public DNS servers, and ISP specified DNS servers in a NS-IP database.…”

Section: Related Workmentioning

confidence: 99%

“…Any destination IP address not included in the previously archived Name Server (NS) records is considered suspicious and should be investigated. In this way, "all unusual domain name resolution that uses direct outbound DNS query can be monitored" [8].…”

Section: Related Workmentioning

confidence: 99%

A Multi-Stage Detection Technique for DNS-Tunneled Botnets

Ghosh

El-Sheikh

Jammal³

EPiC Series in Computing

View full text Add to dashboard Cite

Botnet communications are obfuscated within legitimate network protocols to avoid detection and remediation. Domain Name Service (DNS) is a protocol of choice to hide communication with Command & Control (C&C) servers, where botmasters tunnel these communications within DNS request and response. Since botnet communications are characterized by different features, botmasters may evade detection methods by modifying some of these features. This paper proposes a multi-staged detection approach for Domain Generation Algorithm (DGA) using domain fluxing, Fast Flux Service Network (FFSN), and encrypted DNS tunneled-based botnets using BRO Network Security Monitor. This approach is able to detect DNS-tunneled botnet communications by analyzing different techniques used to find C&C servers, and also using signature matching technique to detect DNS-tunneled SSH handshake between bots and C&C servers.

show abstract

Design of Detecting Botnet Communication by Monitoring Direct Outbound DNS Queries

Cited by 14 publications

References 3 publications

NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking

NS record History Based Abnormal DNS traffic Detection Considering Adaptive Botnet Communication Blocking

A Survey on Botnets: Incentives, Evolution, Detection and Current Trends

A Multi-Stage Detection Technique for DNS-Tunneled Botnets

Contact Info

Product

Resources

About