Article: Botnet detection based on DNS traffic similarity Journal: International Journal of Advanced Intelligence Paradigms (IJAIP) 2020 Vol.15 No.4 pp.357 - 387 Abstract: Despite the efforts in combating the threat of botnets, they still grow in size and evasion techniques. The bot software is written once and spreads to other machines all over the world. The bot software is preconfigured to locate the malicious domain name (if it is not static) through the DNS system, like any other legitimate host. In this paper, a scalable approach for detecting a group of bot hosts from their DNS traffic is proposed. The proposed approach leverages a signal processing technique, power spectral density (PSD) analysis, to discover the significant frequencies (i.e., periods) of the botnets periodic DNS queries. The proposed approach processes the timing information of the generated DNS queries, regardless of the number of queries or domain names. Measuring the level of similarity between hosts demonstrating periodic DNS queries should reveal the group of bot hosts in the monitored network. Finally, we evaluated the proposed approach using multiple DNS traces collected from different sources along with a real world botnet deployed under controlled environment. The evaluation result shows that the proposed approach was able to detect the group of bot hosts that demonstrates similar periodic DNS pattern with high accuracy and minimum false positives rates. Inderscience Publishers - linking academia, business and industry through research

Title: Botnet detection based on DNS traffic similarity

Authors: Ahmad M. Manasrah; Walaa Bani Domi; Nur Nadiyah Suppiah

Addresses: Networking and Information Security Department, Yarmouk University, 21163, Irbid, Jordan ' Computer Science Department, Yarmouk University, 21163, Irbid, Jordan ' National Advanced IPv6 Center, Universiti Sains Malaysia, Malaysia

Abstract: Despite the efforts in combating the threat of botnets, they still grow in size and evasion techniques. The bot software is written once and spreads to other machines all over the world. The bot software is preconfigured to locate the malicious domain name (if it is not static) through the DNS system, like any other legitimate host. In this paper, a scalable approach for detecting a group of bot hosts from their DNS traffic is proposed. The proposed approach leverages a signal processing technique, power spectral density (PSD) analysis, to discover the significant frequencies (i.e., periods) of the botnets periodic DNS queries. The proposed approach processes the timing information of the generated DNS queries, regardless of the number of queries or domain names. Measuring the level of similarity between hosts demonstrating periodic DNS queries should reveal the group of bot hosts in the monitored network. Finally, we evaluated the proposed approach using multiple DNS traces collected from different sources along with a real world botnet deployed under controlled environment. The evaluation result shows that the proposed approach was able to detect the group of bot hosts that demonstrates similar periodic DNS pattern with high accuracy and minimum false positives rates.

Keywords: botnet detection; traffic similarity; traffic anomaly; group activity; Malware activity; traffic behaviour analysis; network intrusion detection.

DOI: 10.1504/IJAIP.2020.106030

International Journal of Advanced Intelligence Paradigms, 2020 Vol.15 No.4, pp.357 - 387

Received: 09 Jan 2017
Accepted: 04 Mar 2017
Published online: 26 Mar 2020 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Botnet detection based on DNS traffic similarity

Keep up-to-date