Staff Profile Pages

Encrypted and covert DNS queries for botnets: Challenges and countermeasures

Authors: Patsakis, C., Casino, F. and Katos, V.

Journal: Computers and Security

Volume: 88

ISSN: 0167-4048

DOI: 10.1016/j.cose.2019.101614

Abstract:

There is a continuous increase in the sophistication that modern malware exercise in order to bypass the deployed security mechanisms. A typical approach to evade the identification and potential take down of a botnet command and control server is domain fluxing through the use of Domain Generation Algorithms (DGAs). These algorithms produce a vast amount of domain names that the infected device tries to communicate with to find the C&C server, yet only a small fragment of them is actually registered. This allows the botmaster to pivot the control and make the work of seizing the botnet control rather difficult. Current state of the art and practice considers that the DNS queries performed by a compromised device are transparent to the network administrator and therefore can be monitored, analysed, and blocked. In this work, we showcase that the latter is a strong assumption as malware could efficiently hide its DNS queries using covert and/or encrypted channels bypassing the detection mechanisms. To this end, we discuss possible mitigation measures based on traffic analysis to address the new challenges that arise from this approach.

https://eprints.bournemouth.ac.uk/33197/

Source: Scopus

Encrypted and covert DNS queries for botnets: Challenges and countermeasures

Authors: Patsakis, C., Casino, F. and Katos, V.

Journal: COMPUTERS & SECURITY

Volume: 88

eISSN: 1872-6208

ISSN: 0167-4048

DOI: 10.1016/j.cose.2019.101614

https://eprints.bournemouth.ac.uk/33197/

Source: Web of Science (Lite)

Encrypted and Covert DNS Queries for Botnets: Challenges and Countermeasures

Authors: Patsakis, C., Casino, F. and Katos, V.

Journal: Computers and Security

Publisher: Elsevier

ISSN: 0167-4048

DOI: 10.1016/j.cose.2019.101614

https://eprints.bournemouth.ac.uk/33197/

Source: Manual

Encrypted and Covert DNS Queries for Botnets: Challenges and Countermeasures

Authors: Patsakis, C., Casino, F. and Katos, V.

Journal: Computers and Security

Volume: 88

Issue: January

ISSN: 0167-4048

Abstract:

There is a continuous increase in the sophistication that modern malware exercise in order to bypass the deployed security mechanisms. A typical approach to evade the identification and potential take down of a botnet command and control server is domain fluxing through the use of Domain Generation Algorithms (DGAs). These algorithms produce a vast amount of domain names that the infected device tries to communicate with to find the C&C server, yet only a small fragment of them is actually registered. This allows the botmaster to pivot the control and make the work of seizing the botnet control rather difficult.

Current state of the art and practice considers that the DNS queries performed by a compromised device are transparent to the network administrator and therefore can be monitored, analysed, and blocked. In this work, we showcase that the latter is a strong assumption as malware could efficiently hide its DNS queries using covert and/or encrypted channels bypassing the detection mechanisms. To this end, we discuss possible mitigation measures based on traffic analysis to address the new challenges that arise from this approach.

https://eprints.bournemouth.ac.uk/33197/

Source: BURO EPrints