Botnet Malicious Activity Detection Based on DNS Traffic Analysis

In the field of internet security botnet is becoming the significant threat as more number of users are connected to internet. Botnet which is a collection of infected computers so called (bots) are becoming the major threat to internet community. The difference between a malware and botnet is that bot is remotely controlled by a C&C server which are under the control of a botmaster. Here in this research, a DNS traffic based approach is presented for detection of the malicious activities performed by botnets with inclusion of IP-Domain features. At first, a detailed literature is presented for botnet detection, and then a DNS traffic analysis technique is proposed with inclusion of a) IP to Domain pairing, b) deep packet inspection (DPI), c) anomalous behavior of traffic exchanged between bot infected PC to C&C server. A shell script is developed to automatically fetch the network traces from a victim Honeypot machine for further analysis for botnet infections in network traces. Further the global data feeds related to botnet attributes are integrated with the system but the problem with reputation engine is that they only determine the suspicious domain. To determine the actual botnet infections; there is a need to apply another technique in the form of DNS traffic analysis. A prototype system is developed which profile the DNS traffic for botnet determinations, in the end experimental results are presented to validate our research.