| Summary: | 碩士 === 國立臺北大學 === 資訊工程學系 === 106 === The latest threat reports show a notable increase in detected botnets compared to previous years. In fact, the number of IoT botnet C&C controllers alone more than doubled in 2017. Botnet C&C controllers are used by cybercriminals to launch attacks using botnet enslaved devices. As showed success of Mirai botnet, a lot of companies use poorly secured IoT devices, which gives an opportunity for using IoT devices as botnet zombies.
To avoid detection, botnets use domain generation algorithms (DGA) to connect to C&C servers via large number of domain names. This work proposes a low-cost strategy to detect domain names generated by DGA. Statistically lexical features of domain names generated algorithmically differ from those generated by humans. Thus, algorithmically generated domain names can be used to detect botnet or malware activity in the network.
To justify the choice of lexical features we gathered domain names statistics of 32 botnets that appeared in last 8 years. Lexical features were chosen based on gathered statistics and new lexical features were suggested. Chosen lexical features were used to generate a decision tree by means of C4.5 algorithm.
Experimental results show, that suggested new lexical features improve detection accuracy. 93.7% detection accuracy was achieved. Detection algorithm based on the generated decision tree can be used for fast real-time detection of botnet domain names.
|
|---|
