Document Type : Original Research Paper


1 Department of Electrical and Computer Engineering, Science and Research Branch, Islamic Azad University, Tehran, Iran.

2 Department of Mathematics and Computer Science, Shahed University, Tehran, Iran..


Abstract—One of the serious threats to cyberspace is the Bot networks or Botnets. Bots are malicious software that acts as a network and allows hackers to remotely manage and control infected computer victims. Given the fact that DNS is one of the most common protocols in the network and is essential for the proper functioning of the network, it is very useful for monitoring, detecting and reducing the activity of the Botnets. DNS queries are sent in the early stages of the life cycle of each Botnet, so infected hosts are identified before any malicious activity is performed. Because the exchange of information in the network environment and the volume of information is very high, Storing and indexing this massive data requires a large database. By using the DNS traffic analysis, we try to identify the Botnets. We used the data generated from the network traffic and information of known Botnets with the Splunk platform to conduct data analysis to quickly identify attacks and predict potential dangers that could arise. The analysis results were used in tests conducted on real network environments to determine the types of attacks. Visual IP mapping was then used to determine actions that could be taken. The proposed method is capable of recognizing known and unknown Bots.


Main Subjects

[1] Alomari, E., Manickam, S., Gupta, B.B., Karuppayah, S. and Alfaris, R., 2012. Botnet-based distributed denial of service (DDoS) attacks on web servers: classification and art. arXiv preprint arXiv:1208.0403.
[2] Lu, W., Rammidi, G. and Ghorbani, A.A., 2011. Clustering botnet communication traffic based on n-gram feature selection. Computer Communications, 34(3), pp.502-514.
[3] Almomani, A., Gupta, B.B., Wan, T.C., Altaher, A. and Manickam, S., 2013. Phishing dynamic evolving neural fuzzy framework for online detection zero-day phishing email. arXiv preprint arXiv:1302.0629.
[4] Al-Momani, A., Wan, T.C., Al-Saedi, K., Altaher, A., Ramadass, S., Manasrah, A., Melhim, L.B. and Anbar, M., 2011. An online model on evolving phishing e-mail detection and classification method. journal of applied science, 11(18), pp.3301-3307.
[5] Alieyan, K., ALmomani, A., Manasrah, A. and Kadhum, M.M., 2017. A survey of botnet detection based on DNS. Neural Computing and Applications, 28(7), pp.1541-1558.
[6] Zeidanloo, H.R., Shooshtari, M.J.Z., Amoli, P.V., Safari, M. and Zamani, M., 2010, July. A taxonomy of botnet detection techniques. In Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International Conference on (Vol. 2, pp. 158-162). IEEE.
[7] Karim, A., Salleh, R.B., Shiraz, M., Shah, S.A.A., Awan, I. and Anuar, N.B., 2014. Botnet detection techniques: review, future trends, and issues. Journal of Zhejiang University SCIENCE C, 15(11), pp.943-983.
[8] Alieyan, K., ALmomani, A., Manasrah, A. and Kadhum, M.M., 2017. A survey of botnet detection based on DNS. Neural Computing and Applications, 28(7), pp.1541-1558.
[9] Stevanovic, M., Pedersen, J.M., D’Alconzo, A. and Ruehrup, S., 2017. A method for identifying compromised clients based on DNS traffic analysis. International Journal of Information Security, 16(2), pp.115-132.
[10] Zhao, G., Xu, K., Xu, L. and Wu, B., 2015. Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access, 3, pp.1132-1142.
[11] Das, S., Mukhopadhyay, A. and Shukla, G.K., 2013, January. i-HOPE framework for predicting cyber breaches: a logit approach. In System Sciences (HICSS), 2013 46th Hawaii International Conference on (pp. 3008-3017). IEEE.
[12] Bhandari, A., Sangal, A.L. and Kumar, K., 2016. Characterizing flash events and distributed denial‐of‐service attacks: an empirical investigation. Security and Communication Networks, 9(13), pp.2222-2239.
[13] Woodie, A., 2015. Why Gartner dropped big data off the hype curve.
[14] Marty, R., 2009. Applied security visualization (p. 552). Upper Saddle River: Addison-Wesley.
[15] Choi, H. and Lee, H., 2012. Identifying botnets by capturing group activities in DNS traffic. Computer Networks, 56(1), pp.20-33.
[16] Gu, G., Yegneswaran, V., Porras, P., Stoll, J. and Lee, W., 2009, December. Active botnet probing to identify obscure command and control channels. In Computer Security Applications Conference, 2009. ACSAC'09. Annual (pp. 241-253). IEEE.
[17] Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C. and Vigna, G., 2009, November. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 635-647). ACM.
[18] Huang, C.Y., 2013. Effective bot host detection based on network failure models. Computer Networks, 57(2), pp.514-525.
[19] Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N. and Dagon, D., 2011, August. Detecting Malware Domains at the Upper DNS Hierarchy. In USENIX security symposium (Vol. 11, pp. 1-16).
[20] Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W. and Dagon, D., 2012, August. From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. In USENIX security symposium (Vol. 12).
[21] Perdisci, R., Corona, I. and Giacinto, G., 2012. Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Transactions on Dependable and Secure Computing, 9(5), pp.714-726.
[22] Bilge, L., Sen, S., Balzarotti, D., Kirda, E. and Kruegel, C., 2014. Exposure: A passive dns analysis service to detect and report malicious domains. ACM Transactions on Information and System Security (TISSEC), 16(4), p.14.
[23] Kang, B.B.H., 2011. DNS-based botnet detection. In Encyclopedia of Cryptography and Security (pp. 362-363). Springer, Boston, MA.