HTTP botnet detection using passive DNS analysis and application profiling

Files

Alenazi_Abdelrahman_MASc_2017.pdf (754.91 KB)

Date

2017-12-15

Authors

Alenazi, Abdelrahman Aziz

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

HTTP botnets are currently the most popular form of botnets compared to IRC and P2P botnets. This is because, they are not only easier to implement, operate, and maintain, but they can easily evade detection. Likewise, HTTP botnets flows can easily be buried in the huge volume of legitimate HTTP traffic occurring in many organizations, which makes the detection harder. In this thesis, a new detection framework involving three detection models is proposed, which can run independently or in tandem. The first detector profiles the individual applications based on their interactions, and isolates accordingly the malicious ones. The second detector tracks the regularity in the timing of the bot DNS queries, and uses this as basis for detection. The third detector analyzes the characteristics of the domain names involved in the DNS, and identifies the algorithmically generated and fast flux domains, which are staples of typical HTTP botnets. Several machine learning classifiers are investigated for each of the detectors. Experimental evaluation using public datasets and datasets collected in our testbed yield very encouraging performance results.

Description

Keywords

HTTP botnet, Botnet detection, Machine learning, Passive DNS, DGA domains, Malicious fast flux DNS

Citation

URI

http://hdl.handle.net/1828/8869

Collections

ETD (Electronic Theses and Dissertations)
Theses (Electrical and Computer Engineering)
 
University of Victoria Libraries

We acknowledge and respect the Lək̓ʷəŋən (Songhees and Esquimalt) Peoples on whose territory the university stands, and the Lək̓ʷəŋən and W̱SÁNEĆ Peoples whose historical relationships with the land continue to this day.