{"title":"DGA僵尸网络检测中字符串和查询序列的相似度研究","authors":"Chun-De Chang, Hui-Tang Lin","doi":"10.1109/ICOIN.2018.8343094","DOIUrl":null,"url":null,"abstract":"The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.","PeriodicalId":228799,"journal":{"name":"2018 International Conference on Information Networking (ICOIN)","volume":"55 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-04-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"On similarities of string and query sequence for DGA botnet detection\",\"authors\":\"Chun-De Chang, Hui-Tang Lin\",\"doi\":\"10.1109/ICOIN.2018.8343094\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.\",\"PeriodicalId\":228799,\"journal\":{\"name\":\"2018 International Conference on Information Networking (ICOIN)\",\"volume\":\"55 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-04-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 International Conference on Information Networking (ICOIN)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICOIN.2018.8343094\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 International Conference on Information Networking (ICOIN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICOIN.2018.8343094","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
On similarities of string and query sequence for DGA botnet detection
The Internet plays an important role in people's lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. A typical botnet is composed of a botmaster, a Command and Control (C&C) server and many compromised devices called bots. A botmaster can control these bots via the C&C server to launch various attacks, such as DDOS attacks, phishing, spam distribution, and so on. Among all botnets, Domain Generation Algorithm (DGA) botnets are particularly resilient to traditional detection by associating the C&C server to one of the generated domains in each bot. Accordingly, this study presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module and a Query Sequence Similarity Module. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
