How to Achieve Early Botnet Detection at the Provider Level?
Botnets are an enabler for many cyber-criminal activities and often responsible for DDoS attacks, banking fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide their complex and distributed C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. Both, the actions to increase the resilience and the prevention of signature based detection are counteractions against detection techniques. In contrast to existing approaches, our novel approach includes DNS registration behaviour, which we currently analyse for the .com, .net and .org domains, representing half of registered domains on the Internet. Hence, the goal of this PhD research is to enable early detection of the deployment and operation of botnets to facilitate proactive mitigation strategies, whereas current approaches usually detect botnets while these are already in active use. Consequently, this proactive approach prevents botnets to fully evolve their size and attack power. Moreover, as many end users are unable to detect and clean infected machines, our approach tackles the botnet phenomenon without requiring any end user involvement, by incorporating ISPs and domain name registrars. In addition, this will enable the discovery of similar behaviour of different connected systems, which allows detection in cases where bots are registered under domains that are not willing to cooperate.
KeywordsBotnet Early detection Provider network DNS IP flow monitoring Coordinated cyber threats Domain registration behaviour
This work is partially funded by EU FP7 Flamingo Network of Excellence Project (ICT-318488).
- 1.Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: An Analysis of Gameover Zeus. In: 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE) (2013)Google Scholar
- 2.Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security Symposium (2012)Google Scholar
- 5.Grill, M., Nikolaev, I., Valeros, V., Rehak, M.: Detecting DGA Malware using NetFlow. In: IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015)Google Scholar
- 6.Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 Conference on Internet Measurement. ACM (2013)Google Scholar
- 8.Lone, Q., Moura, G.C.M., Van Eeten, M.: Towards incentivizing ISPs to mitigate botnets. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds.) AIMS 2014. LNCS, vol. 8508, pp. 57–62. Springer, Heidelberg (2014)Google Scholar
- 9.McAfee: The Economic Impact of Cyber-crime. http://www.mcafee.com/mx/resources/reports/rp-economic-impact-cybercrime.pdf. Accessed 05 Jan 2016
- 10.Mossburg, E.: A Deeper Look at the Financial Impact of Cyber Attacks. http://daily.financialexecutives.org/a-deeper-look-at-the-financial-impact-of-cyber-attacks. Accessed 05 Jan 2016
- 11.Nguyen, T.D., CAO, T.D., Nguyen, L.G: DGA botnet detection using collaborative filtering and density-based clustering. In: Proceedings of the Sixth International Symposium on Information and Communication Technology. ACM (2015)Google Scholar
- 14.Steinberger, J., Sperotto, A., Baier, H., Pras, A.: Collaborative attack mitigation and response: a survey. In: IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015)Google Scholar
- 15.Taylor, B.: Cyber Attacks Fallout Could Cost the Global Economy 3 Trillion Dollar by 2020. http://www.techrepublic.com/article/cyberattacks-fallout-could-cost-the-global-economy-3-trillion-by-2020/ Accessed 05 Jan 2016
- 16.Van Eeten, M., Bauer, J.M., Asghari, H., Tabatabaie, S., Rand, D.: The role of internet service providers in botnet mitigation an empirical analysis based on spam data. TPRC (2010)Google Scholar