Bot detection by monitoring and grouping domain name server record response queries in DNS traffic

Abstract

A Botnet is network of bots or infected systems, each running on a compromised host machine, controlled by command and control server. Botnet can be used for email spamming to launching DDoS attacks. Botnet attacks classified as topology based, protocol based, and architecture based. Designing a detection system for bots is becoming challenging as botnet attacks are upgrading the attacking methodology by hiding and changing identities (command and control server) periodically. This paper is proposing, bot detection methodology by monitoring domain name server record response (DNSRR) query traffic, which form a group activity in DNS traffic simultaneously sent by bot machines. The analysis is based on type of botnet attack, detection target, feature source, feature extraction, feature correlation, machine learning techniques. Few researchers proposed bot detection techniques based on DNS queries initiated by bots, but these can be easily avoided by changing bot program, architecture, protocol and encrypted network traffic. The proposed approach is versatile and robust than the existing detection approaches so that the presence of variety of bots can be detected by monitoring the group activities of DNSRR queries in DNS traffic. From the experiment and results, it is shown that proposed methodology able to detect bot efficiently while they are connected to controlling server or migrating to new server. The results are encouraging because of low false positive detection rate.