DNS Traffic Analysis for Network-based Malware Detection

(English) Botnets are generally recognized as one of the most challenging threats on the Internet today. Botnets have been involved in many attacks targeting multinational organizations and even nationwide internet services. As more effective detection and mitigation approaches are proposed by security researchers, botnet developers are employing new techniques for evasion. It is not surprising that the Domain Name System (DNS) is abused by botnets for the purposes of evasion, because of the important role of DNS in the operation of the Internet. DNS provides a flexible mapping between domain names and IP addresses, thus botnets can exploit this dynamic mapping to mask the location of botnet controllers. Domain-flux and fast-flux (also known as IP-flux) are two emerging techniques which aim at exhausting the tracking and blacklisting effort of botnet defenders by rapidly changing the domain names or their associated IP addresses that are used by the botnet. In this thesis, we employ passive DNS analysis to develop an anomaly-based technique for detecting the presence of a domain-flux or fast-flux botnet in a network. To do this, we construct a lookup graph and a failure graph from captured DNS traffic and decompose these graphs into clusters which have a strong correlation between their domains, hosts, and IP addresses. DNS related features are extracted for each cluster and used as input to a classification module to identify the presence of a domain-flux or fast-flux botnet in the network. The experimental evaluation on captured traffic traces verified that the proposed technique successfully detected domain-flux botnets in the traces. The proposed technique complements other techniques for detecting botnets through traffic analysis. The thesis deals with anomaly based techniques for detecting malware based on network traffic analysis. The main focus is on detecting fast-flux and domain-flux botnets based on the analysis of Domain Name System (DNS) traffic. The thesis consists of a summary report and a prototype system written in Python 2.7 and MATLAB ® 2010b to demonstrate the proposed technique. Acknowledgements I would like to give my gratitude to Prof. Gerald Q. Maguire Jr., my home university supervisor, for guiding me all the way through my thesis. His immense knowledge and experience in the field have helped me with all the obstacles that I encountered during my thesis work. He always finds time to help students on all subjects that matter despite his busy schedule. It was my pleasure to have him as …