Using EBPF to identify ransomware that use DGA DNS queries

Abstract

In today's world, where the Internet has become an integral part of the functioning of government and corporate institutions, the integrity and availability of information is becoming a key issue for many organizations and individual users. The issue of protection against crypto viruses and attacks, in particular, using DGA (Domain Generation Algorithms), a method used by attackers to automatically generate domain names for client-server (Command & Control) communication in the DNS-based virus ecosystem, is particularly relevant, making it difficult to detect and block them due to the way DNS is used in modern computer networks. Given the growing number of attacks that use DGA, there is a need to develop new methods that are faster and can analyze large traffic flows in real time and provide functionality for detecting and blocking them. eBPF (Extended Berkeley Packet Filter) is a modern tool that allows you to create small programs to monitor and analyze various aspects of the system in real time, including network traffic. These programs are executed directly in the operating system kernel and/or at the network card level. In this study, we consider the possibility of using eBPF to detect DGA activity in DNS traffic. The goal is to determine the effectiveness of real-time ransomware detection. We developed a ransomware analysis lab environment where we developed eBPF-based modules, tested them, and simulated an attack. In addition, a cloud-based data analysis environment based on Splunk was set up and rules for detecting a DGA attack were developed based on this analysis. This article presents the results of developing an eBPF-based program for analyzing DNS traffic, conducting DGA attacks, and methods for detecting them. These results can be an important contribution to the development of strategies to protect against malicious attacks in the network.