CONDENSER: A Graph-Based Approachfor Detecting Botnets

TL;DR

CONDENSER is a graph-based machine learning framework that detects botnet activity by analyzing DNS responses and network communication patterns, enabling quick identification of new and known botnets.

Contribution

It introduces a novel combination of machine learning, clustering, and graph-based data representation for effective botnet detection.

Findings

Accurately classifies domain names generated by DGAs

Clusters network communication patterns effectively

Supports querying for botnet activity detection

Abstract

Botnets represent a global problem and are responsible for causing large financial and operational damage to their victims. They are implemented with evasion in mind, and aim at hiding their architecture and authors, making them difficult to detect in general. These kinds of networks are mainly used for identity theft, virtual extortion, spam campaigns and malware dissemination. Botnets have a great potential in warfare and terrorist activities, making it of utmost importance to take action against. We present CONDENSER, a method for identifying data generated by botnet activity. We start by selecting appropriate the features from several data feeds, namely DNS non-existent domain responses and live communication packages directed to command and control servers that we previously sinkholed. By using machine learning algorithms and a graph based representation of data, then allows one to identify botnet activity, helps identifying anomalous traffic, quickly detect new botnets and improve activities of tracking known botnets. Our main contributions are threefold: first, the use of a machine learning classifier for classifying domain names as being generated by domain generation algorithms (DGA); second, a clustering algorithm using the set of selected features that groups network communication with similar patterns; third, a graph based knowledge representation framework where we store processed data, allowing us to perform queries.