Title :
Detection of botnet collusion by degree distribution of domains
Author :
Burghouwt, Pieter ; Spruit, Marcel ; Sips, Henk
Author_Institution :
Res. Group Inf. Security, Hague Univ. of Appl. Sci., Netherlands
Abstract :
Malicious botnets threaten the Internet by DDoS-attacks, spam, information theft and other criminal activities. They are using increasingly sophisticated techniques to hide the Command and Control traffic. Many existing detection techniques can be defeated by encryption, tunneling in popular protocols, delays, and flow perturbation. We introduce a new DNS-based detection approach, that detects botnet collusion by anomalies in the degree distribution of visited domains, without any assumption about message content and statistical properties of the traffic. The proposed technique is difficult to evade, without major changes in the bot Command and Control Infrastructure or reduced utility. We evaluate evasion possibilities, derive a theoretical model of the detector performance and test the detector with a combination of captured Internet traffic and simulated botnet-traffic.
Keywords :
Internet; computer crime; invasive software; DDoS-attacks; DNS-based detection; Internet; botnet collusion; criminal activities; degree distribution; encryption; information theft; malicious botnets; spam; tunneling; Unsolicited electronic mail;
Conference_Titel :
Internet Technology and Secured Transactions (ICITST), 2010 International Conference for
Conference_Location :
London
Print_ISBN :
978-1-4244-8862-9
Electronic_ISBN :
978-0-9564263-6-9
