How to Achieve Early Botnet Detection at the Provider Level?

Abstract : Botnets are an enabler for many cyber-criminal activities and often responsible for DDoS attacks, banking fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide their complex and distributed C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. Both, the actions to increase the resilience and the prevention of signature based detection are counteractions against detection techniques. In contrast to existing approaches, our novel approach includes DNS registration behaviour, which we currently analyse for the .com, .net and .org domains, representing half of registered domains on the Internet. Hence, the goal of this PhD research is to enable early detection of the deployment and operation of botnets to facilitate proactive mitigation strategies, whereas current approaches usually detect botnets while these are already in active use. Consequently, this proactive approach prevents botnets to fully evolve their size and attack power. Moreover, as many end users are unable to detect and clean infected machines, our approach tackles the botnet phenomenon without requiring any end user involvement, by incorporating ISPs and domain name registrars. In addition, this will enable the discovery of similar behaviour of different connected systems, which allows detection in cases where bots are registered under domains that are not willing to cooperate.
Type de document :
Communication dans un congrès
Rémi Badonnel; Robert Koch; Aiko Pras; Martin Drašar; Burkhard Stiller. 10th IFIP International Conference on Autonomous Infrastructure, Management and Security (AIMS), Jun 2016, Munich, Germany. Springer International Publishing, Lecture Notes in Computer Science, LNCS-9701, pp.142-146, 2016, Management and Security in the Age of Hyperconnectivity. 〈10.1007/978-3-319-39814-3_15〉
Liste complète des métadonnées

Littérature citée [16 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01632750
Contributeur : Hal Ifip <>
Soumis le : vendredi 10 novembre 2017 - 15:27:58
Dernière modification le : vendredi 10 novembre 2017 - 15:31:09
Document(s) archivé(s) le : dimanche 11 février 2018 - 14:36:19

Fichier

 Accès restreint
Fichier visible le : 2019-01-01

Connectez-vous pour demander l'accès au fichier

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Christian Dietz, Anna Sperotto, Gabi Dreo, Aiko Pras. How to Achieve Early Botnet Detection at the Provider Level?. Rémi Badonnel; Robert Koch; Aiko Pras; Martin Drašar; Burkhard Stiller. 10th IFIP International Conference on Autonomous Infrastructure, Management and Security (AIMS), Jun 2016, Munich, Germany. Springer International Publishing, Lecture Notes in Computer Science, LNCS-9701, pp.142-146, 2016, Management and Security in the Age of Hyperconnectivity. 〈10.1007/978-3-319-39814-3_15〉. 〈hal-01632750〉

Partager

Métriques

Consultations de la notice

51