DNS-based anti-evasion technique for botnets detection

Lysenko, Sergii; Pomorova, Oksana; Savenko, Oleg; Kryshchuk, Andrii; Bobrovnikova, Kira

doi:10.1109/idaacs.2015.7340777

Cited by 15 publications

(6 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Table 4 compares the detection percentage and the FP of the proposed method with the other articles in the field botnet detection [3,4,7,14,[25][26][27][28].…”

Section: Results Of the Implementation Of Final Benchmark Ementioning

confidence: 99%

A Novel Approach of Botnets Detection Based on Analyzing Dynamical Network Traffic Behavior

2021

View full text Add to dashboard Cite

Nowadays, Botnets have become one of the most serious cybersecurity threats and cyber crimes such as DDoS, spam, identity theft, and phishing. Because of constantly updating evasion techniques, the detection of botnets has been always an unaddressed challenge. To cope with this, we propose a new approach to detect botnet activity based on the dynamical modeling of traffic behavior. Indeed, some important features of network traffic such as packet length, sending protocol, source-IP, destination-IP, and sending time are extracted by the Wireshark software. To explore the effect of evasion methods on the network behavior, based on the extracted features, some time series have been plotted to analyze and classify the network traffic characteristics as bots are active. Due to the drastic changing of some features during evasion techniques, several suspicious behaviors are explored as chaotic dynamical behavior in the aforementioned time series to use in the definition of the final benchmark detection mechanism. To check the accuracy of the performance, two datasets ISCX IDS 2012 and CTU-Malware-Capture-Botnet-254-1 are used. The simulation results show that the proposed method has a detection rate of over 99%, the false positive rate less than 0.67%.

show abstract

“…Table 4 compares the detection percentage and the FP of the proposed method with the other articles in the field botnet detection [3,4,7,14,[25][26][27][28].…”

Section: Results Of the Implementation Of Final Benchmark Ementioning

confidence: 99%

A Novel Approach of Botnets Detection Based on Analyzing Dynamical Network Traffic Behavior

2021

View full text Add to dashboard Cite

show abstract

“…Presented system was developed from the idea to detect the botnets' attacks using the multi-agent system [21]. The next generations of the BotGRABBER system have obtained the possibility to detect the botnets that use DNS evasion techniques (cycling of IP mapping, "domain flux", "fast flux" and DNS-tunneling) via DNS traffic analysis, and the possibility to analyze the software's behavior in the host, which may indicate the possible presence of bot directly in the host [22][23][24].…”

Section: Results and Analysismentioning

confidence: 99%

Detection of the botnets’ low-rate DDoS attacks based on self-similarity

Lysenko¹,

Bobrovnikova²,

Matiukh³

et al. 2020

IJECE

Self Cite

View full text Add to dashboard Cite

An article presents the approach for the botnets’ low-rate a DDoS-attacks detection based on the botnet’s behavior in the network. Detection process involves the analysis of the network traffic, generated by the botnets’ low-rate DDoS attack. Proposed technique is the part of botnets detection system – BotGRABBER system. The novelty of the paper is that the low-rate DDoS-attacks detection involves not only the network features, inherent to the botnets, but also network traffic self-similarity analysis, which is defined with the use of Hurst coefficient. Detection process consists of the knowledge formation based on the features that may indicate low-rate DDoS attack performed by a botnet; network monitoring, which analyzes information obtained from the network and making conclusion about possible DDoS attack in the network; and the appliance of the security scenario for the corporate area network’s infrastructure in the situation of low-rate attacks.

show abstract

“…2) DNS-based approaches: based on the fact that bots may launch DNS queries to detect and access the C&C server, DNS monitoring is used as an efficient manner to detect botnet [5]- [12]. However, these past works mainly focus on monitor-based traffic features related with botnet.…”

Section: Related Workmentioning

confidence: 99%

“…After the data have been divided, it is possible to work on the development of the classification algorithm. We will not compare the related works here [5]- [12] because the most important motivation of this work is to deeply and comprehensively analyze the botnet domain name characteristics. Then we adopt different classifiers based on our refined features to verify that the features are effective and niche targeting in order to detect the botnet domain name even under different classifiers.…”

Section: Botnet Domain Name Detectionmentioning

confidence: 99%

Analysis of Botnet Domain Names for IoT Cybersecurity

Jin

Lee

2019

IEEE Access

View full text Add to dashboard Cite

Botnets are widespread nowadays with the expansion of the Internet and commonly occur in many cyber-attacks, resulting in serious threats to network services and users' properties. With the rapid development of the Internet of Things (IoT) applications, the botnet can easily make use of IoT devices for larger-scale attacks. Domain name system (DNS) is widely used by the botnet to establish the connection between bots and their corresponding command-and-control (C&C). In order to avoid the track of the C&C through the DNS information, some sophisticated schemes are used by the botnet and fast-flux is a typical one. In this paper, the activities of Rustock botnet domain names which just use the fast-flux as the connection method between bots and C&C, are deeply analyzed from multiple aspects. Besides, we extract 32 special features of Rustock domain named querying traffic. Then multiple popular classifiers are adopted in order to pick the malicious domain names out from the DNS traffic using those 32 features. The work of this paper aims to provide guidance for future botnet detection based on real statics and experiments.

show abstract

DNS-based anti-evasion technique for botnets detection

Cited by 15 publications

References 5 publications

A Novel Approach of Botnets Detection Based on Analyzing Dynamical Network Traffic Behavior

A Novel Approach of Botnets Detection Based on Analyzing Dynamical Network Traffic Behavior

Detection of the botnets’ low-rate DDoS attacks based on self-similarity

Analysis of Botnet Domain Names for IoT Cybersecurity

Contact Info

Product

Resources

About