Botnet Detection Using Passive DNS

The Domain Name System (DNS) is a distributed naming system fundamental for the normal operation of the Internet. It provides a mapping between user-friendly domain names and IP addresses. Cyber criminals use the flexibility provided by the DNS to deploy certain techniques that allow them to hide the Command and Control (CnC) servers used to manage their botnets and frustrate the detection efforts. Passive DNS (pDNS) data allows us to analyse the DNS history of a given domain name. Such is achieved by passively collecting DNS queries and the respective answers that can then be stored and easily queried. By analyzing pDNS data, one can try to follow the traces left by such techniques and be able to identify the real addresses of the botnet Command and Control servers. For instance, we expect malware-related domain names to have lower Time-to-Live (TTL) values than legitimate and benign domains. The aim of this research is the development of a proof-of-concept able to automatically analyze and identify botnet activity using pDNS data. We propose the use of machine learning techniques and devise a set of 36 different features to be used in the classification process. With two weeks of pDNS data we were able to set up, create and test different classifiers, namely k-Nearest Neighbours (kNN), Decision Trees and Random Forests. Using all-purpose blacklists we were able to achieve an accuracy of 97%, having a False Positive Rate (FPR) of 3%. However, with only two weeks of data it is not possible to find sufficient domain names used for botnet CnC servers such that we are able to extract statistically significant results. Furthermore, some of our initial assumptions hold when analysing botnet-related domain names but do not for malware-related domain names. For instance, the average TTL value for legitimate domain names is twice lower than for malware-related domain names. We believe this is due to the fact that only a small portion of our blacklist is composed of botnet-related domain names that have small TTL values. In addition, many legitimate domain names make use small values of TTL possibly to increase the availability of the services provided. Related work such as Notos [2], EXPOSURE [10] and Kopis [3] reported similar accuracy levels, however with lower FPRs. This might be due to the fact that while our feature set is extracted solely from pDNS data, such systems include also WHOIS and Autonomous System (AS) data. This data is also useful for detection of malware-related domain names and it contributes to build more accurate and precise systems. [