The use of tactics to strengthen botnets, such as fast-flux networks and Conficker-like dynamic domain generation, can tip off their activities, according to research from the Georgia Institute of Technology.
Botnets can be uncovered at an early stage by dynamically detecting changes in the domain name system (DNS). The Georgia Tech team reports that they were able to detect anomalies in the DNS indicative of botnets and have documented recognition rates greater than 98 percent.
The team used a system that dynamically determines the reputation of a domain-name/Internet protocol-address pairs by collecting DNS query data from registrars and analyzing the domain structure, focusing on the network and zone characteristics. The team combined the system, called Notos, with machine-learning technology, called Kopis, which can detect changes across the DNS infrastructure of a company, Internet service provider, or the Internet, which are characteristic of malicious networks. The team trained Kopis to understand lookup patterns, periodicity, and profiles based on the diversity of the lookups. The two systems were able to detect botnets, such as the IMDDOS and those built on SpyEye.
They can detect botnets weeks before they go active and start sending out malware.
From CSO Online
View Full Article