BotDigger: Detecting DGA Bots in a Single Network

Zhang, Han and Gharaibeh, Manaf and Thanasoulas, Spiros and Papadopoulos, Christos

citation

Han Zhang, Manaf Gharaibeh, Spiros Thanasoulas and Christos Papadopoulos 2016. BotDigger: Detecting DGA Bots in a Single Network. Proceedings of the IEEE International Conference on Traffic Monitoring and Analysis (Louvain La Neuve, Belgium, Apr. 2016), 16–21. [DOI]

abstract

To improve the resiliency of communication between bots and C&C servers, bot masters began utilizing Domain Generation Algorithms (DGA) in recent years. Many systems have been introduced to detect DGA-based botnets. How- ever, they su↵er from several limitations, such as requiring DNS traffic collected across many networks, the presence of multiple bots from the same botnet, and so forth. These limitations make it very hard to detect individual bots when using traffic collected from a single network. In this paper, we introduce BotDig- ger, a system that detects DGA-based bots using DNS traffic without a priori knowledge of the domain generation algorithm. BotDigger utilizes a chain of evidence, including quantity, temporal and linguistic evidence to detect an indi- vidual bot by only monitoring traffic at the DNS servers of a single network. We evaluate BotDigger’s performance using traces from two DGA-based botnets: Kraken and Conflicker. Our results show that BotDigger detects all the Kraken bots and 99.8% of Conficker bots. A one-week DNS trace captured from our uni- versity and three traces collected from our research lab are used to evaluate false positives. The results show that the false positive rates are 0.05% and 0.39% for these two groups of background traces, respectively.

reference

@inproceedings{Zhang16b,
  author = {Zhang, Han and Gharaibeh, Manaf and Thanasoulas, Spiros and Papadopoulos, Christos},
  title = {BotDigger: Detecting DGA Bots in a Single Network},
  booktitle = {Proceedings of the  IEEE International Conference on Traffic Monitoring and Analysis},
  year = {2016},
  sortdate = {2016-04-08},
  project = {ant, lacrend, retrofuture},
  pages = {16--21},
  month = apr,
  address = {Louvain La Neuve, Belgium},
  publisher = {IEEE},
  jlocation = {johnh: pafile},
  keywords = {DGA, uses lander, domain name generation, dns},
  doi = {http://dx.doi.org/10.1109/ICIMP.2010.11},
  url = {http://www.cs.colostate.edu/~hanzhang/papers/BotDigger-TMA16.pdf}
}