DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic

Each botnet needs an addressing mechanism to locate its command and control (C&C) server(s). This mechanism allows a botmaster to send commands to and receive stolen data from compromised hosts. To maximize the availability of the C&C server(s), botmasters have recently started to use domain-flux techniques. However, domain-flux botnets have some important characteristics that we can use to detect them. They usually generate a large number of DNS queries resolved to the same IP address and they often generate many failures in DNS traffic. The domain names in the DNS queries are randomly or algorithmically generated and their alphanumeric distribution is significantly different from legitimate ones. In this paper, we present DFBotKiller, a negative reputation system that considers the history of both suspicious group activities and suspicious failures in DNS traffic to detect domain-flux botnets. Our main goal is to automatically assign a high negative reputation score to each host that is involved in these suspicious domain activities. To identify randomly or algorithmically generated domain names, we use three measures, namely the Jensen-Shannon divergence, Spearman's rank correlation coefficient, and Levenshtein distance. We demonstrate the effectiveness of DFBotKiller to detect hosts infected by domain-flux botnets using multiple DNS queries collected from our campus network and a testbed network consisting of some bot-infected hosts. The experimental results show that DFBotKiller can make a good trade-off between the detection and false alarm rates.     

The social network of hackers

Social researchers are facing more and more challenges as criminal networks are expanding in size and moving to the Internet. Many efforts are currently under way to enhance the technical capabilities of researchers working in the field of cybercrimes. Rather than focusing on the technical tools that could enhance research performance, this article focuses on a specific field that has demonstrated its use in the study of criminal networks: social network analysis (SNA). This article evaluates the effectiveness of SNA to enhance the value of information on cybercriminals. This includes both the identification of possible targets for follow-up research as well as the removal of subjects who may be wasting the researchers' time. This article shows that SNA can be useful on two levels. First, SNA provides scientific and objective measures of the structure of networks as well as the position of their key players. Second, fragmentation metrics, which measure the impact of the removal of n nodes in a network, help to determine the amount of resources needed to deal with specific organisations. In this case study, a tactical strike against the network could have had the same destabilising impact as a broader approach. The resources saved by limiting the investigation targets could then be used to monitor the criminal network's reaction to the arrests and to limit its ability to adapt to the post-arrest environment.     

僵尸网络的最新发展

最近几年"僵尸网络"的危害愈演愈烈,它的类型包括IRC Bot、AOL Bot和P2P Bot等,而且正在进行着更加快速的演变。但僵尸网络的结构并没有太大的变化,其典型利用方式基本可以分为五个步骤。而僵尸网络的主流发展趋势就是不断利用系统插件、新的文件格式和Web2.0系统进行传播。但只要注意在网络和主机两个层面进行全方位的防范,"僵尸网络"依然是可控的。