Detecting DGA malware using NetFlow

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F15%3A00233467" target="_blank" >RIV/68407700:21230/15:00233467 - isvavai.cz</a>

Výsledek na webu

<a href="http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7140486" target="_blank" >http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7140486</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/INM.2015.7140486" target="_blank" >10.1109/INM.2015.7140486</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Detecting DGA malware using NetFlow

Popis výsledku v původním jazyce

Botnet detection systems struggle with performance and privacy issues when analyzing data from large-scale networks. Deep packet inspection, reverse engineering, clustering and other time consuming approaches are unfeasible for large-scale networks. Therefore, many researchers focus on fast and simple botnet detection methods that use as little information as possible to avoid privacy violations. We present a novel technique for detecting malware using Domain Generation Algorithms (DGA), that is able toevaluate data from large scale networks without reverse engineering a binary or performing Non-Existent Domain (NXDomain) inspection. We propose to use a statistical approach and model the ratio of DNS requests and visited IPs for every host in the local network and label the deviations from this model as DGA-performing malware. We expect the malware to try to resolve more domains during a small time interval without a corresponding amount of newly visited IPs. For this we need only the

Název v anglickém jazyce

Detecting DGA malware using NetFlow

Popis výsledku anglicky

Botnet detection systems struggle with performance and privacy issues when analyzing data from large-scale networks. Deep packet inspection, reverse engineering, clustering and other time consuming approaches are unfeasible for large-scale networks. Therefore, many researchers focus on fast and simple botnet detection methods that use as little information as possible to avoid privacy violations. We present a novel technique for detecting malware using Domain Generation Algorithms (DGA), that is able toevaluate data from large scale networks without reverse engineering a binary or performing Non-Existent Domain (NXDomain) inspection. We propose to use a statistical approach and model the ratio of DNS requests and visited IPs for every host in the local network and label the deviations from this model as DGA-performing malware. We expect the malware to try to resolve more domains during a small time interval without a corresponding amount of newly visited IPs. For this we need only the

Druh

D - Stať ve sborníku

CEP obor

JC - Počítačový hardware a software

OECD FORD obor

—

Projekt

—

Návaznosti

I - Institucionalni podpora na dlouhodoby koncepcni rozvoj vyzkumne organizace

Rok uplatnění

2015

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM)

ISBN

978-3-901882-76-0

ISSN

—

e-ISSN

—

Počet stran výsledku

6

Strana od-do

1304-1309

Název nakladatele

IEEE

Místo vydání

Piscataway

Místo konání akce

Ottawa

Datum konání akce

11. 5. 2015

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

—