{"id":799,"date":"2016-02-01T11:26:53","date_gmt":"2016-02-01T19:26:53","guid":{"rendered":"http:\/\/ant.isi.edu\/blog\/?p=799"},"modified":"2020-10-19T09:58:36","modified_gmt":"2020-10-19T16:58:36","slug":"new-technical-report-botdigger-detecting-dga-bots-in-a-single-network","status":"publish","type":"post","link":"https:\/\/ant.isi.edu\/blog\/?p=799","title":{"rendered":"new technical report &#8220;BotDigger: Detecting DGA Bots in a Single Network&#8221;"},"content":{"rendered":"<p>We have released a new technical report \u201cBotDigger: Detecting DGA Bots in a Single Network\u201d, CS-16-101, available at&nbsp;<a href=\"http:\/\/www.cs.colostate.edu\/~hanzhang\/papers\/BotDigger-techReport.pdf\">http:\/\/www.cs.colostate.edu\/~hanzhang\/papers\/BotDigger-techReport.pdf<\/a><\/p>\n<p>The code of BotDigger is available on GitHub at:&nbsp;<a href=\"https:\/\/github.com\/hanzhang0116\/BotDigger\">https:\/\/github.com\/hanzhang0116\/BotDigger<\/a><\/p>\n<p>From the abstract:<\/p>\n<blockquote><p>To improve the resiliency of communication between bots and C&amp;C servers, bot masters began utilizing Domain Generation Algorithms (DGA) in recent years. Many systems have been introduced to detect DGA-based botnets. However, they suffer from several limitations, such as requiring DNS traffic collected across many networks, the presence of multiple bots from the same botnet, and so forth. <img loading=\"lazy\" decoding=\"async\" class=\" wp-image-802 alignright\" src=\"http:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2016\/02\/BotDiggerOverview-300x265.png\" alt=\"BotDiggerOverview\" width=\"353\" height=\"311\" srcset=\"https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2016\/02\/BotDiggerOverview-300x265.png 300w, https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2016\/02\/BotDiggerOverview-1024x904.png 1024w, https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2016\/02\/BotDiggerOverview-768x678.png 768w, https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2016\/02\/BotDiggerOverview.png 1139w\" sizes=\"auto, (max-width: 353px) 100vw, 353px\" \/>These limitations make it very hard to detect individual bots when using traffic collected from a single network. In this paper, we introduce BotDigger, a system that detects DGA-based bots using DNS traffic without a priori knowledge of the domain generation algorithm. BotDigger utilizes a chain of evidence, including quantity, temporal and linguistic evidence<br \/>\nto detect an individual bot by only monitoring traffic at the DNS servers of a single network. We evaluate BotDigger\u2019s performance using traces from two DGA-based botnets: Kraken and Conflicker. Our results show that BotDigger detects all the Kraken bots and 99.8% of Conficker bots. A one-week DNS trace captured from our university and three traces collected from our research lab are used to evaluate false positives. The results show that the false positive rates are 0.05% and 0.39% for these two groups of background traces, respectively.<\/p><\/blockquote>\n<p>This work is by Han Zhang,&nbsp;Manaf Gharaibeh, Spiros Thanasoulas and Christos Papadopoulos (Colorado State University).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have released a new technical report \u201cBotDigger: Detecting DGA Bots in a Single Network\u201d, CS-16-101, available at&nbsp;http:\/\/www.cs.colostate.edu\/~hanzhang\/papers\/BotDigger-techReport.pdf The code of BotDigger is available on GitHub at:&nbsp;https:\/\/github.com\/hanzhang0116\/BotDigger From the abstract: To improve the resiliency of communication between bots and C&amp;C servers, bot masters began utilizing Domain Generation Algorithms (DGA) in recent years. Many systems have [&hellip;]<\/p>\n","protected":false},"author":98,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[282,283],"tags":[34,141,89,63,67,8,22,29,5,68,18,16,26],"class_list":["post-799","post","type-post","status-publish","format-standard","hentry","category-publications","category-technical-report","tag-algorithms","tag-ant","tag-csu","tag-dns","tag-lacrend","tag-lander","tag-measurement-systems","tag-network-traffic","tag-papers","tag-retro-future","tag-security","tag-software","tag-tech-report"],"_links":{"self":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/799","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/users\/98"}],"replies":[{"embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=799"}],"version-history":[{"count":8,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/799\/revisions"}],"predecessor-version":[{"id":1624,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/799\/revisions\/1624"}],"wp:attachment":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=799"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=799"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=799"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}