Abstract
Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from a CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in a embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of an IDS.
Highlights
The Domain Name System (DNS) is a hierarchical naming system for computers, services, clients, or any resource connected to the Internet
This set of data is collected during the one-year period and it is referred as DCDN
Fast-flux Botnets and phish domains were used according to gathered data on Botnet trackers during one-year period [35,36,37,38,39,40,41,42,43,44,45,46,47]
Summary
The Domain Name System (DNS) is a hierarchical naming system for computers, services, clients, or any resource connected to the Internet It provides a critical Internet service of mapping between two principal name spaces on the Internet: DNS tree and Internet protocol logical address space. Resolution, caching system and tree like organization provide the fault-tolerance ability for the DNS [2] This fault-tolerance can help specific services to achieve availability by load distribution. The most often used example for this type of service is a web service In this case, redundancy can be achieved if multiple web servers with the same web content are made available. Redundancy can be achieved if multiple web servers with the same web content are made available This solution is named Round Robin DNS (RRDNS) [3]. The main advantage of RRNDS is load redistribution between multiple servers
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
