| Summary: | 碩士 === 國立成功大學 === 電腦與通信工程研究所 === 101 === Today, the ever changing online services have attracted more and more users to access the Internet. However, most users are very naive and are unaware of the security issues that come with using these services. Among all network security issues, botnet networks (or zombie networks) have been a major threat. A botmaster controls a botnet to launch attacks, such as information stealing, phishing site, spam mails and distributed denial of service (DDoS). To avoid being detected, many botnets apply the domain generation algorithm (DGA) to increase the survivability of botnets. In general, a DGA bot tries to connect the Command-and-Control (C&C) server by sequentially querying a list of domains generated by DGA. By doing so, DGA botnets can evade the detection as the queried C&C domains have been changing. However, it usually generate a large amount of non-existence domains before bots successfully connect to the active C&C server. Therefore, this research is to develop a DGA-based botnet detection system by analyzing non-existence domains in DNS traffic. According to the domain query behavior of users, they are classified into a normal group or a malicious group. Unlike the previous detection approaches which need to process a large amount of C&C domain queries and/or perform deep packet inspection on each packet, this research significantly reduce the amount of data to be processed by only examining the non-existence domains queries while achieving a 95% detection ratio. Finally, experiments have been conducted by applying this proposed system on the NCKU campus network. The results show that the proposed scheme is able to effectively detect many compromised hosts associated with DGA-based botnets which are not detected by the traditional detection system.
|
|---|
