Transcript 下載/瀏覽Download

Identifying Botnets Using Anomaly Detection
Techniques Applied to DNS Traffic
Speaker:Chiang Hong-Ren
Outline
Introduction
Anomaly detection techniques
DDNS-Based Bontet detection
Methodology
Experimental Results
Discussion
Conclusion
2016/7/15
2
Introduction
The first approach consists in looking for domain names whose
query rates are abnormally high or temporally concentrated.
The second approach consists in looking for abnormally
recurring DDNS replies indicating that the query is for an
inexistent name (NXDOMAIN).
This paper evaluates experimentally the effectiveness of these
approaches for detecting botnets in enterprise and access
provider networks.
Anomaly detection techniques
Dagon et al. use Chebyshev’s inequality and a simplified version of
the Mahalanobis distance to quantify how anomalous the number
of queries for each domain name is during a day or hour in that
day,respectively.
Considering that botnets often use Third Level Domains (3LDs)
instead of subdirectories Dagon et al.aggregate lookups for each
Second Level Domain (SLD) with those of the respective 3LDs.
DDNS-Based Bontet detection
In their method, a “Canonical DNS Request Rate” (CDRR)
aggregates the query rate of a SLD with the query rates of the
SLD’s children 3LDs, according to the formula:
when the CDRR of a name is anomalous according to Chebyshev’s
inequality that name has an abnormally high query rate and is likely
to belong to a botnet C&C server.
They suggest that names whose feature vector differs from that of a
normal name by more than a threshold are likely to belong to a
botnet C&C server.
Methodology(1/3)
A. Data Collection
We used the tcpdump network sniffer to collect this data (11 GB)
and store it in the pcap format.
We collected all DNS traffic at the University of Pittsburgh (Pitt)’s
Computer Science (CS) department for a period of 192 hours (9
days) starting on 2/13/2007.
Methodology(2/3)
B. Data Selection
AA=Authoritative Answer
NXDOMAIN= name error
AUTH=Authority RR
NS=Name Server
RR=resource record
ANS = answer RR,
TTL=Time to Live
SOA=Start of Authority
Methodology(3/3)
C. Detection of abnormally high rates
we verified whether the SLD is anomalous according to Chebyshev’s
inequality with k = 4.47.
We investigated whether anomalous SLDs are indeed suspicious.
D. Detection of abnormally temporally concentrated rates
The top SLDs with distances exceeding a threshold were considered
anomalous.
We investigated whether anomalous SLDs are indeed suspicious.
Experimental Results(1/8)
summarizes our results for detection based on abnormally high
rates.
Experimental Results(2/8)
SLDs In CS_NS with anomalous high rates and
independently reported as suspicious.
Experimental Results(3/8)
Experimental Results(4/8)
Experimental Results(5/8)
Experimental Results(6/8)
Experimental Results(7/8)
Experimental Results(8/8)
Discussion
distinguishing DDNS queries from other DNS queries is difficult
in enterprise and access provider networks.
Many legitimate domains, such as google.com, yahoo.com, and
weather.com use low TTL values.
some legitimate and popular domain names, such as
mozilla.com, are also hosted by DDNS providers.
Smaller botnets can be expected to generate fewer queries for
each C&C server,making the latter’s detection more difficult.
Conclusion
the first approach generated many false positives (legitimate
names classified as C&C servers).
the second approach was effective. Most of the names it detected
were independently reported as suspicious by others.
The two different algorithm for botnet detection are proposed
and both can detect the specific activity of botnet nicely.
Increasingly, popular legitimate names such as gmail.com and
mozilla.com are using low TTL values or DDNS hosting,
blurring boundaries and confounding classifications.