Identifying botnets by capturing group activities in DNS traffic
- Authors
- Choi, Hyunsang; Lee, Heejo
- Issue Date
- 12-1월-2012
- Publisher
- ELSEVIER SCIENCE BV
- Keywords
- Botnet; Group activity; DNS
- Citation
- COMPUTER NETWORKS, v.56, no.1, pp.20 - 33
- Indexed
- SCIE
SCOPUS
- Journal Title
- COMPUTER NETWORKS
- Volume
- 56
- Number
- 1
- Start Page
- 20
- End Page
- 33
- URI
- https://scholar.korea.ac.kr/handle/2021.sw.korea/109084
- DOI
- 10.1016/j.comnet.2011.07.018
- ISSN
- 1389-1286
- Abstract
- Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, existing approaches can be overwhelmed by the large amount of data needed to be analyzed. In this paper, we propose a light-weight mechanism to detect botnets using their fundamental characteristics, i.e., group activity. The proposed mechanism, referred to as BotGAD (botnet group activity detector) needs a small amount of data from DNS traffic to detect botnet, not all network traffic content or known signatures. BotGAD can detect botnets from a large-scale network in real-time even though the botnet performs encrypted communications. Moreover, BotGAD can detect botnets that adopt recent evasion techniques. We evaluate BotGAD using multiple DNS traces collected from different sources including a campus network and large ISP networks. The evaluation shows that BotGAD can automatically detect botnets while providing real-time monitoring in large scale networks. (C) 2011 Elsevier B.V. All rights reserved.
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - Graduate School > Department of Computer Science and Engineering > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.