TNC16 Conference
GEANT logo
Announcements |   placeholder

33 - Proactive Botnets Detection and Defense at Internet scale

Christian Dietz (University of Twente and Universität der Bundeswehr München)

Botnets are an enabler for many cyber-criminal activities and often used for DDoS attacks, financial fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide the complex and distributed command and control infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. Both, the actions to increase the resilience and the prevention of signature based detection are counteractions against detection techniques. In contrast to existing approaches, our novel approach is based on a collaborative monitoring of the interaction of the botmaster and the bots with the domain name system. This includes DNS registration behaviour, which we currently analyse for the .com, .net and .org tp level domains, representing half of registered domains on the Internet. Hence, the goal of this PhD research is to enable early detection of the deployment and operation of botnets to facilitate proactive mitigation strategies, whereas current approaches usually detect botnets while these are already in active use. Consequently, this proactive approach prevents botnets to fully evolve their size and attack power. Moreover, as many end users are unable to detect and clean infected machines, our approach tackles the botnet phenomenon without requiring any end user involvement, by incorporating ISPs and domain name registrars. We enhance our approach by taking into account other publicly available data regarding domains and IP addresses that that our system crawls regularly from the Internet. All this information analysed by using big data and machine learning techniques.

Download file