Covert channels and anonymizing networks
Proceedings of the 2003 ACM workshop on Privacy in the electronic society
Piggybacking related domain names to improve DNS performance
Computer Networks: The International Journal of Computer and Telecommunications Networking
Detecting covert timing channels: an entropy-based approach
Proceedings of the 14th ACM conference on Computer and communications security
Wide-scale botnet detection and characterization
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Your botnet is my botnet: analysis of a botnet takeover
Proceedings of the 16th ACM conference on Computer and communications security
Peeking through the cloud: DNS-based estimation and its applications
ACNS'08 Proceedings of the 6th international conference on Applied cryptography and network security
Evaluating Bluetooth as a medium for botnet command and control
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Social network-based botnet command-and-control: emerging threats and countermeasures
ACNS'10 Proceedings of the 8th international conference on Applied cryptography and network security
Practical comprehensive bounds on surreptitious communication over DNS
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Attackers in particular botnet controllers use stealthy messaging systems to set up large-scale command and control. Understanding the capacity of such communication channels is important in detecting organized cyber crimes. We analyze the use of domain name service (DNS) as a stealthy botnet command-and-control channel, which allows multiple entities to pass messages stored in DNS records to each other.We describe and quantitatively analyze new techniques that can be used to hide malicious DNS activities both at the host and network levels. We also present and experimentally evaluate statistical contentanalysis techniques as a countermeasure, which require deep packet inspection. Our techniques are beyond the specific DNS security problem studied. We give a formal definition for the perfect stealth of a communication channel; point out the fundamental limits in achieving it, as well as the practical issues in the detection. We perform comprehensive statistical analysis that makes use of a two-month-long 4.6GB campus network dataset and 1 million domain names obtained from alexa.com.