Recognizing Time-Efficiently Local Botnet Infections - A Case Study

Abstract

The domain name system (DNS) is often abused by criminals as resilient infrastructure for their network architecture. Examples for malicious activities based on these networks comprise e.g. phishing, click fraud, spam, command and control structure of botnets. Most of the proposed detection methods rely on machine learning based on complex feature sets which require a considerable computational power. This paper investigates the approach of passively monitoring and analyzing DNS traffic in a time efficient manner based on machine learning on a reduced and robust feature set. For the evaluation the full DNS data stream of a regional ISP is used. To enhance the amount of traffic that can be labeled for the training process and reduce the number of false negatives in the case study, this is combined with a semi-manual labeling approach which addresses domains created by Domain-Generation-Algorithms (DGAs). That allows also medium sized, regional service providers to train classifiers with typical DNS traffic and to deploy systems based on the approach proposed here, in the network of organizations as an alternative to cloud services. The evaluation shows that this approach is feasible and prototypes are already deployed. Hence this approach can serve as an important aspect of the internal risk management of organizations.