Detecting DGA-Based Botnet with DNS Traffic Analysis in Monitored Network

Abstract

Modern botnets such as Zeus, Conficker have started employing a technique called domain fluxing to prevent a naive blacklisting approach employed by network administrators. Domain fluxing bots generate a list of Pseudo-Random Domain names (PRD) or base on a predefined algorithm, called Domain name Generation Algorithm (DGA) for botnet operators to command and control (C&C) their bots. It is a pressing issue today to prevent or least reduce their destructive actions. In this paper, we focus on detecting domain-flux botnet within the monitored network based on DNS traffic features. First, we present a method to identify bot-infected machines based on the similar periodic time intervals series of DNS queries. Then, in order to detect C&C Server, we monitor the stream of active DNS queries from bot-infected machines, and introduce a method to extract related feature values aiming to distinguish bot-generated domain names from humangenerated ones base on a classifier model that we previously trained. We use five various machine learning algorithms to train classifier models and evaluate the effectiveness of detection. The experimental results showed that the proposed method achieves the highest detection efficiency for decision trees algorithms (J48) with the average overall accuracy up to 98.5% and false positive rate is 1.2%.