Loading...
| Friend's email | |
| Your name | |
| Your email | |
| enter code | |
This page was sent successfuly
- Type of Document: M.Sc. Thesis
- Language: Farsi
- Document No: 45202 (19)
- University: Sharif University of Technology
- Department: Computer Engineering
- Advisor(s): Kharrazi, Mehdi
- Abstract:
- A study of the recent trends in cyber-attacks reveals that the large families of controllable compromised computers known as botnets are the prominent sources of threats in the internet. Sending stolen information and receiving commands are the principal activities of bots through C&C channels. Thus maximizing availability of these vital mediums is one of their necessities. In order to achieve this aim, new evasion techniques such as fast-flux has evolved botnets in which a domain name with multiple resolved IPs is used rather than assigning a fix IP to the C&C servers. Although a numerous approaches have been proposed for detecting fast-flux networks, needing a large amount of labeled data for training phase of these mechanisms reduces their effectiveness. In this paper, a new passive detection system has been proposed that needs a small amount of data from DNS traffic to detect malicious fast-flux domains. The proposed system has two main modules for analyzing the behavior of fast-flux botnets. First, it builds on previous approaches to remove a high percentage of benign domains including those of the CDNs with the aid of historical traffic. The main idea of this module is the short lifespan of botnet domains in comparison to the legitimate CDN domains. Thus by eliminating the domains present in history, the domains of CDNs will be removed (because of long lifespans) and malicious domains with short lifespan will remain for further analyzing. This project provides an efficient implementation for the usage of historical traffic as whitelist. The second module uses two fundamental attributes of fast-flux domains (high fluxes of resolved IPs and small TTL value) in the form of probability functions to determine flux rates of each domain. At this point, using a hypothesis test for sequential analysis named Sequential Probability Ratio Testing (SPRT) provides the ability of data analyzing in short time windows while the final result is the impact of all time windows cumulatively. Unlike most previous approaches, our system is not limited to the instances of bots in the training dataset. Instead, it can detect malicious domains by calculating a flux rate according to the fundamental characteristics of fast-flux botnets We evaluate this approach using DNS traces collected in a campus network. The experimental results show that the proposed system can detect malicious fast-flux domains with high detection rate (94.4%) and low false positive rate (0.001%) by providing real-time monitoring and needing minimum amount of traffic
- Keywords:
- Botnet Networks Detection ; Traffic Analysis ; Domain Name System (DNS) ; Command and Control Channel ; Sequential Probability Ratio Testing ; Domain Flux ; Fast Flux
Digital Object List
-
محتواي کتاب
- view
Bookmark