Abstract
The Domain Name System (DNS) is an essential infrastructure service on the internet. It provides a worldwide mapping between easily memorizable domain names and numerical IP addresses. Today, legitimate users and malicious applications use this service to locate content on the internet. Yet botnets increasingly rely on DNS to connect to their command and control servers. A widespread approach to detect bot infections inside corporate networks is to inspect DNS traffic using domain C&C blacklists. These are built using a wide range of techniques including passive DNS analysis, malware sandboxing and web content filtering. Using DNS to detect botnets is still an error-prone process; and current blacklist generation algorithms often add innocuous domains that lead to a large number of false positives during detection.
This paper presents a new system called Mentor. It implements a scalable, positive DNS reputation system that automatically removes benign entries within a blacklist of botnet C&C domains. Mentor embeds a crawler system that collects statistical features about a suspect domain name, including both web content and DNS properties. It applies supervised learning to a labeled set of known benign and malicious domain names, using its features set in order to build a DNS pruning model. It further processes domain blacklists using this model in order to skim-off benign domains and keep only true malicious domains for detection. We tested our system against a wide set of public botnet blacklists. Experimental results prove the ability of this system to efficiently detect and remove benign domain names with a very low false positives rate.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Alexa web information company (2013), http://www.alexa.com/topsites/
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for dns. In: Usenix Security Symposium (2010)
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: Detecting the rise of dga-based malware. In: USENIX Security Symposium (2012)
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: International Symposium on Network and Distributed System Security, NDSS (2010)
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In: Int. Annual Computer Security Applications Conference, ACSAC (2012)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: Finding malicious domains using passive dns analysis. In: Symposium on Network and Distributed System Security (2011)
Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in dns traffic. In: Seventh International Conference on Computer and Information Technology (2007)
Cristianini, N., Shawe-Taylor, J.: An introduction to support vector machines and other kernel-based learning methods. Cambridge University Press (2000)
Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: Third USENIX LEET Workshop (2010)
Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: Symp. on Network and Distributed System Security (2008)
Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: Picking command and control connections from bot traffic. In: USENIX Security Symposium (2011)
Kheir, N., Han, X.: Peerviewer: Behavioral tracking and classification of P2P malware. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 282–298. Springer, Heidelberg (2013)
Kheir, N., Wolley, C.: BotSuer: Suing stealthy P2P bots in network traffic through netflow analysis. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 162–178. Springer, Heidelberg (2013)
Langley, P., Sage, S.: Induction of selective bayesian classifiers. In: 10th International Conference on Uncertainty in Artificial Intelligence, pp. 399–406 (1994)
Mockapetris, P.: Dns encoding of network names and other types. RFC 1101 (April 1989)
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: International Symposium on Security and Privacy (2007)
Postel, J.: Domain name system structure and delegation. In: RFC 1591 (1994)
Quinlan, J.R.: C4.5: Programs for machine learning. Morgan Kaufmann Publishers (1993)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: 6th ACM SIGCOMM Conference on Internet Measurement (2006)
Sinha, S., Bailey, M., Jahanian, F.: Shades of grey: On the effectiveness of reputation-based “blacklists”. In: International Conference on Malicious and Unwared Software, Malware (2008)
Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)
Yadav, S., Reddy, A.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: 10th ACM SIGCOMM Conference on Internet Measurement (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kheir, N., Tran, F., Caron, P., Deschamps, N. (2014). Mentor: Positive DNS Reputation to Skim-Off Benign Domains in Botnet C&C Blacklists. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds) ICT Systems Security and Privacy Protection. SEC 2014. IFIP Advances in Information and Communication Technology, vol 428. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55415-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-55415-5_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55414-8
Online ISBN: 978-3-642-55415-5
eBook Packages: Computer ScienceComputer Science (R0)