Date of Award

12-2017

Culminating Project Type

Thesis

Degree Name

Information Assurance: M.S.

Department

Information Assurance and Information Systems

College

Herberger School of Business

First Advisor

Tirthankar Ghosh

Second Advisor

Mark Schmidt

Third Advisor

Mehdi Mekni

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Keywords and Subject Headings

DNS-based Botnet, DNS Tunneling, DGA, Fast Flux, Domain Flux, NXDomain, DNS Server Failure.

Abstract

Domain Name System (DNS) is one of the most widely used protocols in the Internet. The main purpose of the DNS protocol is mapping user-friendly domain names to IP addresses. Unfortunately, many cyber criminals deploy the DNS protocol for malicious purposes, such as botnet communications. In this type of attack, the botmasters tunnel communications between the Command and Control (C&C) servers and the bot-infected machines within DNS request and response. Designing an effective approach for botnet detection has been done previously based on specific botnet types Since botnet communications are characterized by different features, botmasters may evade detection methods by modifying some of these features. This research aims to design and implement a multi-staged detection approach for Domain Generation Algorithm (DGA), Fast Flux Service Network, and Domain Flux-based botnets, as well as encrypted DNS tunneled-based botnets using the BRO Network Security Monitor. This approach is able to detect DNS-based botnet communications by relying on analyzing different techniques used for finding the C&C server, as well as encrypting the malicious traffic.

Comments/Acknowledgements

First and foremost, I would like to express my sincere gratitude to my advisor, Dr. Tirthankar Ghosh, for his support of my study and research. He has been supportive since the days I began taking his classes on the Intrusion Detection & Prevention Systems, Firewalls, and Penetration Testing. In his lectures and projects, I remember he used to say, "In security, you have to think like a bad guy and act like a good guy " to promote our critical thinking as graduate students. Besides my advisor, I would like to thank the rest of my thesis committee, Dr. Mark Schmidt and Dr. Mehdi Mekni, for their encouragement and insightful comments.

I would also like to express my profound thanks to my parents, brothers, and sisters for providing me with unfailing support and continuous encouragement throughout my life.

Last, but not the least, I would like to thank my wife, Amal, for her sincere support. I would never have been able to finish my thesis without her love, support, and patience.

Thank you very much, everyone!

Share

COinS