TY - GEN
T1 - BotMeter
T2 - 36th IEEE International Conference on Distributed Computing Systems, ICDCS 2016
AU - Wang, Ting
AU - Hu, Xin
AU - Jang, Jiyong
AU - Ji, Shouling
AU - Stoecklin, Marc
AU - Taylor, Teryl
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/8/8
Y1 - 2016/8/8
N2 - Recent years have witnessed a rampant use of domain generation algorithms (DGAs) in major botnet crimewares, which tremendously strengthens a botnet's capability to evade detection or takedown. Despite a plethora of existing studies on detecting DGA-generated domains in DNS traffic, remediating such threats still relies on vetting the DNS behavior of each individual device. Yet, in large networks featuring complicated DNS infrastructures, we often lack the capability or the resource to exhaustively investigate every part of the networks to identify infected devices in a timely manner. It is therefore of great interest to first assess the population distribution of DGA-bots inside the networks and to prioritize the remediation efforts. In this paper, we present BotMeter, a novel tool that accurately charts the DGA-bot population landscapes in large networks. Specifically, we embrace the prevalent yet challenging setting of hierarchical DNS infrastructures with caching and forwarding mechanisms enabled, whereas DNS traffic is observable only at certain upper-level vantage points. We establish a new taxonomy of DGAs that captures their characteristic DNS dynamics. This allows us to develop a rich library of rigorous analytical models to describe the complex relationships between bot populations and DNS lookups observed at vantage points. We provide results from extensive empirical studies using both synthetic data and real DNS traces to validate the efficacy of BotMeter.
AB - Recent years have witnessed a rampant use of domain generation algorithms (DGAs) in major botnet crimewares, which tremendously strengthens a botnet's capability to evade detection or takedown. Despite a plethora of existing studies on detecting DGA-generated domains in DNS traffic, remediating such threats still relies on vetting the DNS behavior of each individual device. Yet, in large networks featuring complicated DNS infrastructures, we often lack the capability or the resource to exhaustively investigate every part of the networks to identify infected devices in a timely manner. It is therefore of great interest to first assess the population distribution of DGA-bots inside the networks and to prioritize the remediation efforts. In this paper, we present BotMeter, a novel tool that accurately charts the DGA-bot population landscapes in large networks. Specifically, we embrace the prevalent yet challenging setting of hierarchical DNS infrastructures with caching and forwarding mechanisms enabled, whereas DNS traffic is observable only at certain upper-level vantage points. We establish a new taxonomy of DGAs that captures their characteristic DNS dynamics. This allows us to develop a rich library of rigorous analytical models to describe the complex relationships between bot populations and DNS lookups observed at vantage points. We provide results from extensive empirical studies using both synthetic data and real DNS traces to validate the efficacy of BotMeter.
UR - http://www.scopus.com/inward/record.url?scp=84985946753&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84985946753&partnerID=8YFLogxK
U2 - 10.1109/ICDCS.2016.77
DO - 10.1109/ICDCS.2016.77
M3 - Conference contribution
AN - SCOPUS:84985946753
T3 - Proceedings - International Conference on Distributed Computing Systems
SP - 334
EP - 343
BT - Proceedings - 2016 IEEE 36th International Conference on Distributed Computing Systems, ICDCS 2016
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 27 June 2016 through 30 June 2016
ER -