Botnet detection based on DNS traffic similarity Online publication date: Thu, 26-Mar-2020
by Ahmad M. Manasrah; Walaa Bani Domi; Nur Nadiyah Suppiah
International Journal of Advanced Intelligence Paradigms (IJAIP), Vol. 15, No. 4, 2020
Abstract: Despite the efforts in combating the threat of botnets, they still grow in size and evasion techniques. The bot software is written once and spreads to other machines all over the world. The bot software is preconfigured to locate the malicious domain name (if it is not static) through the DNS system, like any other legitimate host. In this paper, a scalable approach for detecting a group of bot hosts from their DNS traffic is proposed. The proposed approach leverages a signal processing technique, power spectral density (PSD) analysis, to discover the significant frequencies (i.e., periods) of the botnets periodic DNS queries. The proposed approach processes the timing information of the generated DNS queries, regardless of the number of queries or domain names. Measuring the level of similarity between hosts demonstrating periodic DNS queries should reveal the group of bot hosts in the monitored network. Finally, we evaluated the proposed approach using multiple DNS traces collected from different sources along with a real world botnet deployed under controlled environment. The evaluation result shows that the proposed approach was able to detect the group of bot hosts that demonstrates similar periodic DNS pattern with high accuracy and minimum false positives rates.
Existing subscribers:
Go to Inderscience Online Journals to access the Full Text of this article.
If you are not a subscriber and you just want to read the full contents of this article, buy online access here.Complimentary Subscribers, Editors or Members of the Editorial Board of the International Journal of Advanced Intelligence Paradigms (IJAIP):
Login with your Inderscience username and password:
Want to subscribe?
A subscription gives you complete access to all articles in the current issue, as well as to all articles in the previous three years (where applicable). See our Orders page to subscribe.
If you still need assistance, please email subs@inderscience.com
Our Blog 
Follow us on Twitter 
Visit us on Facebook