Identifying DGA-Based Botnets Using Network Anomaly Detection

Abstract

Nowadays, the attacks are no longer performed from a single computer but from thousands, sometimes millions of systems that are located all over the globe and are grouped in a network called botnet. The most widely used technique to control a botnet is to try to connect to many domain names, generated according to an algorithm called domain generating algorithm (DGA). In this paper we present different algorithms that can determine if a computer is part of a botnet by looking at its network traffic. Since in some cases the network traffic is impossible to be shared due to privacy reasons we also analyze the case where just limited information can be provided (such as a netflow log). The algorithms presented here were obtained after reverse engineering and analyzing the DGA of 18 different botnets including some that were taken down (such as Cryptolocker) and ones that are still alive and thriving (such as PushDo, Tinba, Nivdort, DirtyLocker, Dobot, Patriot, Ramdo, Virut, Ramnit and many more).