| 000 | 00000nam c2200205 c 4500 | |
| 001 | 000045881644 | |
| 005 | 20160926170210 | |
| 007 | ta | |
| 008 | 160708s2016 ulkd bmAC 000c eng | |
| 040 | ▼a 211009 ▼c 211009 ▼d 211009 | |
| 041 | 0 | ▼a eng ▼b kor |
| 085 | 0 | ▼a 0510 ▼2 KDCP |
| 090 | ▼a 0510 ▼b 6YD36 ▼c 308 | |
| 100 | 1 | ▼a 권종훈 ▼g 權鍾勳 |
| 245 | 1 1 | ▼a (A) scalable botnet countermeasure for large-scale DNS traffic / ▼d Jonghoon Kwon |
| 260 | ▼a Seoul : ▼b Graduate School, Korea University, ▼c 2016 | |
| 300 | ▼a x, 97장 : ▼b 도표 ; ▼c 26 cm | |
| 500 | ▼a 지도교수: 李喜造 | |
| 502 | 1 | ▼a 학위논문(박사)-- ▼b 고려대학교 대학원: ▼c 컴퓨터·전파통신공학과, ▼d 2016. 8 |
| 504 | ▼a 참고문헌: 장 91-97 | |
| 530 | ▼a PDF 파일로도 이용가능; ▼c Requires PDF file reader(application/pdf) | |
| 653 | ▼a Network Security ▼a Malware ▼a Botnet ▼a PSD ▼a DGA | |
| 776 | 0 | ▼t A Scalable Botnet Countermeasure for Large-scale DNS Traffic ▼w (DCOLL211009)000000069531 |
| 900 | 1 0 | ▼a Kwon, Jong-hoon, ▼e 저 |
| 900 | 1 0 | ▼a 이희조 ▼g 李喜造, ▼e 지도교수 |
| 945 | ▼a KLPA |
Electronic Information
| No. | Title | Service |
|---|---|---|
| 1 | (A) scalable botnet countermeasure for large-scale DNS traffic (38회 열람) |
View PDF Abstract Table of Contents |
Holdings Information
| No. | Location | Call Number | Accession No. | Availability | Due Date | Make a Reservation | Service |
|---|---|---|---|---|---|---|---|
| No. 1 | Location Science & Engineering Library/Stacks(Thesis)/ | Call Number 0510 6YD36 308 | Accession No. 123054355 | Availability Available | Due Date | Make a Reservation | Service |
Contents information
Abstract
Domain Name System (DNS) traffic has become a rich source of information from a security perspective. However, the volume of DNS traffic has been skyrocketing, such that security analyzers experience difficulties in collecting, retrieving, and analyzing the DNS traffic in response to modern Internet threats. More precisely, much of the research relating to DNS has been negatively affected by the dramatic increase in the number of queries and domains. This phenomenon has necessitated a scalable approach, which is independent of the volume of DNS traffic. In this thesis, we introduce a fast and scalable botnet countermeasure designed in two major perspectives: compromised host detection and malicious domain discovery. The compromised botnet detection approach, called PsyBoG, leverages a signal processing technique, Power Spectral Density (PSD) analysis, to discover the major frequencies resulting from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets regardless of their evasive techniques, sporadic behavior, and even normal users' traffic. Furthermore, our method allows us to deal with large-scale DNS data by only utilizing the timing information of query generation regardless of the number of queries and domains. Finally, PsyBoG discovers groups of hosts which show similar patterns of malicious behavior. For the malicious domain discovery, we introduce N+ropy which is a lightweight C&C domain detection algorithm using diversity analysis of queried NXdomains. First NXdomain groups are clustered depending on their domain name structures and shared domain names. Then we estimate how each member domain name is distinct, and finally we discover the resolved C&C domains by comparing them with DGA-generated NXdomain groups. The experiments performed with two different data sets, namely DNS traces generated by real malware in controlled environments and a large number of real-world DNS traces collected from a recursive DNS server, an authoritative DNS server, and Top-Level Domain (TLD) servers. We utilized the malware traces as the ground truth, and, as a result, PsyBoG performed with a detection accuracy of 95%. By using a large number of DNS traces, we were able to demonstrate the scalability and effectiveness of PsyBoG in terms of practical usage. Finally, PsyBoG detected 23 unknown and 26 known botnet groups with 0.1% false positives. N+ropy scores 94.5 % precision and 100 % recall. Furthermore, it only requires less than 5 minutes for the 2 days long DNS traces containing 54 M of queries and 1 M of unique domain names.
Table of Contents
1. Introduction 1 1.1 Motivation 1 1.2 Approach 4 1.3 Contributions 5 1.4 Thesis Outline 6 2. Related Work and Background 7 2.1 Related Work 7 2.1.1 Host-based Detection 7 2.1.2 Network-based Detection 8 2.1.3 DNS-based Detection 9 2.2 Background 12 2.2.1 The Domain Name System (DNS) 12 2.2.2 Botnet Characteristics 15 2.2.3 Signal Processing Techniques 17 3. PsyBoG: Botnet Host Detection 19 3.1 Problem Definition 19 3.2 Insights on Botnet Behavior 21 3.3 PsyBoG Mechanism 22 3.3.1 DNS Traffic Collector 24 3.3.2 Periodicity Analyzer 26 3.3.3 Significant Peak Analyzer 28 3.3.4 Botnet Group Activity Detection 32 4. N+ropy: Malicious Domain Detection 35 4.1 Problem Definition 35 4.2 Insights on DGA botnet 36 4.3 N+ropy Mechanism 39 4.3.1 Domain Group Cluster 42 4.3.2 Diversity Analyzer 42 4.3.3 Resolved DGA Domain Tracker 45 5. Experiment Result I: Botnet Host Detection 46 5.1 Dataset Overview 46 5.1.1 Filtering 48 5.1.2 Time Series 49 5.2 Detection Accuracy 49 5.3 Signal-to-Noise Test 55 5.4 Performance with Large-scale Data 56 5.4.1 Detection Performance in Real DNS 56 5.4.2 Botnet Group Detection 60 5.5 Scalability Analysis 62 5.6 Overhead Estimation 66 6. Experiment Result II: Malicious Domain Detection 72 6.1 Dataset Description 72 6.2 Detection Performance Evaluation 74 6.3 System Performance Evaluation 78 7. Discussion 80 7.1 Random Query Pattern 80 7.2 Slow Query Pattern 82 7.3 Bot Hosts behind NAT boxes 82 7.4 More Efficient PsyBoG 83 8. Conclusion 85 Appendix A. Detection results for Campus1 and Campus2 86 Appendix B. Detection results for DDNS1 and DDNS2 88 Appendix C. Detection results for KrTLD1 and KrTLD2 89 Reference 91
