Founded in 1966

Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic

Ricardo Villamarin-Salomon  (CS Grad/Pitt)

Tuesday, January 8, 2008
12 pm - SENSQ 5317

Free pizza and refreshments will be provided to attendees starting at 11:45 am

Abstract

Bots are compromised computers that communicate with a botnet command and control (C&C) server. Bots typically employ dynamic DNS (DDNS) to locate the respective C&C server. By injecting commands into such servers, botmasters can reuse bots for a variety of attacks. We evaluate two approaches for identifying botnet C&C servers based on anomalous DDNS traffic. The first approach consists in looking for domain names whose query rates are abnormally high or temporally concentrated. High DDNS query rates may be expected because botmasters frequently move C&C servers, and botnets with as many as 1.5 million bots have been discovered. The second approach consists in looking for abnormally recurring DDNS replies indicating that the query is for an inexistent name (NXDOMAIN). Such queries may correspond to bots trying to locate C&C servers that have been taken down. In our experiments, the second approach automatically identified several domain names that were independently reported by others as being suspicious, while the first approach was not as effective.

Joint work with Jose' Brustoloni.

 

You are using an older browser that does not support current Web standards. Although this site is viewable in all browsers, it will look much better in a browser that supports Web standards.