{"title":"利用网络异常检测识别基于dga的僵尸网络","authors":"Dragos Gavrilut, George Popoiu, Razvan Benchea","doi":"10.1109/SYNASC.2016.053","DOIUrl":null,"url":null,"abstract":"Nowadays, the attacks are no longer performed from a single computer but from thousands, sometimes millions of systems that are located all over the globe and are grouped in a network called botnet. The most widely used technique to control a botnet is to try to connect to many domain names, generated according to an algorithm called domain generating algorithm (DGA). In this paper we present different algorithms that can determine if a computer is part of a botnet by looking at its network traffic. Since in some cases the network traffic is impossible to be shared due to privacy reasons we also analyze the case where just limited information can be provided (such as a netflow log). The algorithms presented here were obtained after reverse engineering and analyzing the DGA of 18 different botnets including some that were taken down (such as Cryptolocker) and ones that are still alive and thriving (such as PushDo, Tinba, Nivdort, DirtyLocker, Dobot, Patriot, Ramdo, Virut, Ramnit and many more).","PeriodicalId":268635,"journal":{"name":"2016 18th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC)","volume":"86 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Identifying DGA-Based Botnets Using Network Anomaly Detection\",\"authors\":\"Dragos Gavrilut, George Popoiu, Razvan Benchea\",\"doi\":\"10.1109/SYNASC.2016.053\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Nowadays, the attacks are no longer performed from a single computer but from thousands, sometimes millions of systems that are located all over the globe and are grouped in a network called botnet. The most widely used technique to control a botnet is to try to connect to many domain names, generated according to an algorithm called domain generating algorithm (DGA). In this paper we present different algorithms that can determine if a computer is part of a botnet by looking at its network traffic. Since in some cases the network traffic is impossible to be shared due to privacy reasons we also analyze the case where just limited information can be provided (such as a netflow log). The algorithms presented here were obtained after reverse engineering and analyzing the DGA of 18 different botnets including some that were taken down (such as Cryptolocker) and ones that are still alive and thriving (such as PushDo, Tinba, Nivdort, DirtyLocker, Dobot, Patriot, Ramdo, Virut, Ramnit and many more).\",\"PeriodicalId\":268635,\"journal\":{\"name\":\"2016 18th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC)\",\"volume\":\"86 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-09-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 18th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SYNASC.2016.053\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 18th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SYNASC.2016.053","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Identifying DGA-Based Botnets Using Network Anomaly Detection
Nowadays, the attacks are no longer performed from a single computer but from thousands, sometimes millions of systems that are located all over the globe and are grouped in a network called botnet. The most widely used technique to control a botnet is to try to connect to many domain names, generated according to an algorithm called domain generating algorithm (DGA). In this paper we present different algorithms that can determine if a computer is part of a botnet by looking at its network traffic. Since in some cases the network traffic is impossible to be shared due to privacy reasons we also analyze the case where just limited information can be provided (such as a netflow log). The algorithms presented here were obtained after reverse engineering and analyzing the DGA of 18 different botnets including some that were taken down (such as Cryptolocker) and ones that are still alive and thriving (such as PushDo, Tinba, Nivdort, DirtyLocker, Dobot, Patriot, Ramdo, Virut, Ramnit and many more).
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
