Detecting DGA Malware Traffic Through Behavioral Models. Erquiaga, María José Catania, Carlos García, Sebastían

Transcription

1 Detecting DGA Malware Traffic Through Behavioral Models Erquiaga, María José Catania, Carlos García, Sebastían

2 Outline Introduction Detection Method Training the threshold Dataset description Experiment setup Experiment results Conclusion

3 Introduction DGA Definition Some botnets use algorithms to generate the domain names they need to connect to their C&C servers: Domain Generation Algorithms. DGA detection Detecting the domain names generated by a DGA is difficult because they are usually randomly generated from letters or common dictionary words. Hypothesis: Behavior in the network generated by DGA is quite different from normal DNS traffic. Goal: to differentiate DGA traffic from normal DNS traffic using machine learning methods. To accomplish this goal we use the network-based behavioral models of the Stratosphere Project [1] to model the DNS traffic and to perform our experiments. [1] Stratosphere Project

4 Detection Method (I) Behavioral models Model the behavior of each connection by aggregating the flows according to a 4-tuple composed of: source IP address, destination IP address, destination port and protocol Steps: 1) Extract three features of each flow: size, duration and periodicity. 2) Assign to each flow a state letter according to the features extracted and the assignment strategy. 3) All the states of the connection are represented as a string and stored as part of the behavioral model.

5 Detection Method (II) Example behavioral model: 24.R*R.R.R*a*b*a*a*b*b*a*R.R*R.R*a*a*b*a*a*a*a

6 Detection Method (III) Markov chains First, a Markov Chain model is created (trained) for each known connection. Creating each Markov Chain model results in a transition matrix and initialization vector per connection (detection model of the connection). Second, the new unknown incoming traffic that is going to be evaluated is separated into connections and for each connection we generate the corresponding string of letters. Third, the method evaluates which is the probability that each new string of letters had been generated by each one of the trained detection models

7 Dataset For the purpose of evaluation, these groups were also separated in a dataset for training, one for cross-validation and one for testing.

8 Experiment Setup Goal: analyze the detection potential of the trained models on each of the five group of DNS behaviors. Our testing methodology uses time windows for the computation of errors (alerts should be reported at most after a fixed amount of time) We separate the testing datasets on time windows of five minutes. On each time window we apply our detection method to obtain the amount of errors: TN, TP, FP, FN.

9 Experiment Results (I) Normal DGA 1 DNS Botnet DGA 22 Fast Flux

10 Experiment Results (I) Normal DGA 1 DNS Botnet DGA 22 Fast Flux

11 Experiment Results (I) Normal DGA 1 DNS Botnet DGA 22 Fast Flux

12 Experiment Results (I) Normal DGA 1 DNS Botnet DGA 22 Fast Flux

13 Experiment Results (I) Normal DGA 1 DNS Botnet DGA 22 Fast Flux

14 Experiment Results (III) Performance of each group detection model B (DNS Botnet) on all the testing datasets :

15 Experiment Results (IV) Performance of each group detection model B (DNS Botnet) on all the testing datasets :

16 Conclusion Our detection method, has shown that the detection models from the DGA groups were able to generalize others groups of traffic behavior. The most important finding observed during our experiments was the notable difference between the behavior of normal and botnet DNS models. Such results are an important confirmation of the viability of the use of behavioral models in the detection of DGA traffic. Future work. Further research on datasets with both normal and botnet traffic for our testing.

17 Questions?