Speaker:Chiang Hong-Ren

Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic

Outline

2112/04/21

Introduction

Anomaly detection techniques

DDNS-Based Bontet detection

Methodology

Experimental Results

Discussion

Conclusion

Introduction

The first approach consists in looking for domain names whose query rates are abnormally high or temporally concentrated.

The second approach consists in looking for abnormally recurring DDNS replies indicating that the query is for an inexistent name (NXDOMAIN).

This paper evaluates experimentally the effectiveness of these approaches for detecting botnets in enterprise and access provider networks.

Anomaly detection techniquesDagon et al. use Chebyshev’s inequality and a simplified version of the Mahalanobis distance to quantify how anomalous the number of queries for each domain name is during a day or hour in that day,respectively.Considering that botnets often use Third Level Domains (3LDs) instead of subdirectories Dagon et al.aggregate lookups for each Second Level Domain (SLD) with those of the respective 3LDs.

DDNS-Based Bontet detectionIn their method, a “Canonical DNS Request Rate” (CDRR) aggregates the query rate of a SLD with the query rates of the SLD’s children 3LDs, according to the formula:

when the CDRR of a name is anomalous according to Chebyshev’s inequality that name has an abnormally high query rate and is likely to belong to a botnet C&C server.They suggest that names whose feature vector differs from that of a normal name by more than a threshold are likely to belong to a botnet C&C server.

Methodology(1/3)

A. Data CollectionWe used the tcpdump network sniffer to collect this data (11 GB) and store it in the pcap format.We collected all DNS traffic at the University of Pittsburgh (Pitt)’s Computer Science (CS) department for a period of 192 hours (9 days) starting on 2/13/2007.

Methodology(2/3)

B. Data SelectionAA=Authoritative Answer RR=resource record NXDOMAIN= name error ANS = answer RR,AUTH=Authority RR TTL=Time to Live NS=Name Server SOA=Start of Authority

Methodology(3/3)

C. Detection of abnormally high rateswe verified whether the SLD is anomalous according to Chebyshev’s inequality with k = 4.47. We investigated whether anomalous SLDs are indeed suspicious.

D. Detection of abnormally temporally concentrated rates

The top SLDs with distances exceeding a threshold were considered anomalous. We investigated whether anomalous SLDs are indeed suspicious.

Experimental Results(1/8)

summarizes our results for detection based on abnormally high rates.

Experimental Results(2/8)

SLDs In CS_NS with anomalous high rates and independently reported as suspicious.

Experimental Results(3/8)

Experimental Results(4/8)

Experimental Results(5/8)

Experimental Results(6/8)

Experimental Results(7/8)

Experimental Results(8/8)

Discussion

distinguishing DDNS queries from other DNS queries is difficult in enterprise and access provider networks.

Many legitimate domains, such as google.com, yahoo.com, and weather.com use low TTL values.

some legitimate and popular domain names, such as mozilla.com, are also hosted by DDNS providers.

Smaller botnets can be expected to generate fewer queries for each C&C server,making the latter’s detection more difficult.

Conclusion

the first approach generated many false positives (legitimate names classified as C&C servers).

the second approach was effective. Most of the names it detected were independently reported as suspicious by others.

The two different algorithm for botnet detection are proposed and both can detect the specific activity of botnet nicely.

Increasingly, popular legitimate names such as gmail.com and mozilla.com are using low TTL values or DDNS hosting, blurring boundaries and confounding classifications.