TY - GEN
T1 - Botnet detection by monitoring group activities in DNS traffic
AU - Choi, Hyunsang
AU - Lee, Hanwoo
AU - Lee, Heejo
AU - Kim, Hyogon
N1 - Copyright:
Copyright 2011 Elsevier B.V., All rights reserved.
PY - 2007
Y1 - 2007
N2 - Recent malicious attempts are intended to get financial benefits through a large pool of compromised hosts, which are called software robots or simply "bots." A group of bots, referred to as a botnet, is remotely controllable by a server and can be used for sending spam mails, stealing personal information, and launching DDoS attacks. Growing popularity of botnets compels to find proper countermeasures but existing defense mechanisms hardly catch up with the speed of botnet technologies. In this paper, we propose a botnet detection mechanism by monitoring DNS traffic to detect botnets, which form a group activity in DNS queries simultaneously sent by distributed bots. A few works have been proposed based on particular DNS information generated by a botnet, but they are easily evaded by changing bot programs. Our anomaly-based botnet detection mechanism is more robust than the previous approaches so that the variants of bots can be detectable by looking at their group activities in DNS traffic. From the experiments on a campus network, it is shown that the proposed mechanism can detect botnets effectively while bots are connecting to their server or migrating to another server.
AB - Recent malicious attempts are intended to get financial benefits through a large pool of compromised hosts, which are called software robots or simply "bots." A group of bots, referred to as a botnet, is remotely controllable by a server and can be used for sending spam mails, stealing personal information, and launching DDoS attacks. Growing popularity of botnets compels to find proper countermeasures but existing defense mechanisms hardly catch up with the speed of botnet technologies. In this paper, we propose a botnet detection mechanism by monitoring DNS traffic to detect botnets, which form a group activity in DNS queries simultaneously sent by distributed bots. A few works have been proposed based on particular DNS information generated by a botnet, but they are easily evaded by changing bot programs. Our anomaly-based botnet detection mechanism is more robust than the previous approaches so that the variants of bots can be detectable by looking at their group activities in DNS traffic. From the experiments on a campus network, it is shown that the proposed mechanism can detect botnets effectively while bots are connecting to their server or migrating to another server.
UR - http://www.scopus.com/inward/record.url?scp=38049035805&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=38049035805&partnerID=8YFLogxK
U2 - 10.1109/CIT.2007.4385169
DO - 10.1109/CIT.2007.4385169
M3 - Conference contribution
AN - SCOPUS:38049035805
SN - 0769529836
SN - 9780769529837
T3 - CIT 2007: 7th IEEE International Conference on Computer and Information Technology
SP - 715
EP - 720
BT - CIT 2007
T2 - CIT 2007: 7th IEEE International Conference on Computer and Information Technology
Y2 - 16 October 2007 through 19 October 2007
ER -