摘要:As a new platform for launching attacks collectively, botnets have been considered as the leading security threat to the Internet in the literature. Previous works focus on how to detect zombies via some of the behavioral patterns of botnets. However, it’s an important and challenging task to track the network activities of the zombies so as to have an insight into the global view of “what those zombies do” besides “who those zombies are” since it’s an exclusively nature of botnets to stay stealthy when conducting various malicious activities as long as possible. In this paper, an improved approach is proposed to handle this new problem based on co-occurrence relation of DNS queries with full consideration of t he spatial and temporal properties of botnet activities. The approach excludes noise made by NAT, and distinguishes domains with co-occurrence relation by botnet activities from them by normal user activation, according to the spatial dimensions and time dimensions. Then, we validate the approach using DNS traffic in real network. The experimental result shows it can eliminate the NAT interference, significantly reduce the amount of data and improve the discovery of unknown botnet domain exceptionalness, we analysis main factors whish impact the approach, and then proposed treatment strategies correspondingly.
关键词:co-occurrence relation of DNS queries; botnet; tracking in network; NAT