TY - GEN
T1 - PsyBoG
T2 - 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
AU - Kwon, Jonghoon
AU - Kim, Jeongsik
AU - Lee, Jehyun
AU - Lee, Heejo
AU - Perrig, Adrian
N1 - Publisher Copyright:
© 2014 IEEE.
Copyright:
Copyright 2015 Elsevier B.V., All rights reserved.
PY - 2014/12/29
Y1 - 2014/12/29
N2 - Botnets are widely used for acquiring economic profits, by launching attacks such as distributed denial-of-service (DDoS), identification theft, ad-ware installation, mass spamming, and click frauds. Many approaches have been proposed to detect botnet, which rely on end-host installations or operate on network traffic with deep packet inspection. They have limitations for detecting botnets which use evasion techniques such as packet encryption, fast flux, dynamic DNS and DGA. Sporadic botnet behavior caused by disconnecting the power of system or botnet's own nature also brings unignorable false detection. Furthermore, normal user's traffic causes a lot of false alarms. In this paper, we propose a novel approach called PsyBoG to detect botnets by capturing periodic activities. PsyBoG leverages signal processing techniques, PSD (Power Spectral Density) analysis, to discover the major frequencies from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets irrespective of their evasion techniques, sporadic behavior and even the noise traffic generated by normal users. To evaluate PsyBoG, we utilize the real-world DNS traces collected from a/16 campus network including more than 48,046K queries, 34K distinct IP addresses and 146K domains. Finally, PsyBoG caught 19 unknown and 6 known botnet groups with 0.1% false positives.
AB - Botnets are widely used for acquiring economic profits, by launching attacks such as distributed denial-of-service (DDoS), identification theft, ad-ware installation, mass spamming, and click frauds. Many approaches have been proposed to detect botnet, which rely on end-host installations or operate on network traffic with deep packet inspection. They have limitations for detecting botnets which use evasion techniques such as packet encryption, fast flux, dynamic DNS and DGA. Sporadic botnet behavior caused by disconnecting the power of system or botnet's own nature also brings unignorable false detection. Furthermore, normal user's traffic causes a lot of false alarms. In this paper, we propose a novel approach called PsyBoG to detect botnets by capturing periodic activities. PsyBoG leverages signal processing techniques, PSD (Power Spectral Density) analysis, to discover the major frequencies from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets irrespective of their evasion techniques, sporadic behavior and even the noise traffic generated by normal users. To evaluate PsyBoG, we utilize the real-world DNS traces collected from a/16 campus network including more than 48,046K queries, 34K distinct IP addresses and 146K domains. Finally, PsyBoG caught 19 unknown and 6 known botnet groups with 0.1% false positives.
KW - Botnet detection
KW - Group Activity
KW - Power Spectral Density
UR - http://www.scopus.com/inward/record.url?scp=84922569469&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84922569469&partnerID=8YFLogxK
U2 - 10.1109/MALWARE.2014.6999414
DO - 10.1109/MALWARE.2014.6999414
M3 - Conference contribution
AN - SCOPUS:84922569469
T3 - Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
SP - 85
EP - 92
BT - Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 28 October 2014 through 30 October 2014
ER -