BotMAD: Botnet malicious activity detector based on DNS traffic analysis

Abstract

Botnet is a collection of infected computers i.e. collection of zombie PCs which are remotely controlled by a single person or a group so called botmaster. In the recent years, botnets are becoming stealthier in nature by implanting certain techniques to hide themselves such as fast flux or DGA algorithms to generate the domain names. Generally, the class of botnet can be categorized into two major class-one which exploiting the IP protocol and another is using the DNS protocol for communications. The bot malwares who are using the DNS protocol are designed to remain unaffected over a long period of time. Once they receive the commands from the botmaster, they start to response to execute further actionable commands to perform SPAMs or DDoS attacks. To address such issues, BotMAD-Botnet Malicious Activity Detection based on DNS traffic pattern analysis is presented to detect such class of botnet family which are not detected by IP protocol based exploiting technique because IP may be changed by the botmaster by using fast flux or other techniques to make them stealth in nature. BotMAD — an automated DNS traffic Analyzer and Detector is introduced which automatically detect the malicious IP/Domain pair by inspecting the DNS packets from the network traces. Further the feed of DNSBL database is integrated with the system by fetching the records of malicious domains through Intel critical-stack API to enrich the database. To validate the accuracy of the system, two data sets are used-one is network traces of bot malwares captured on honeypots and second one domain reputation engines for validation. In the end, we conclude that the developed framework is giving the promising results in the form of botnet domain detection.