Language Agnostic Botnet Detection Based on ESOM and DNS
Botnets enable various cyber-criminal activities, like DDoS, banking fraud, data theft and extortion. Current botnet detection approaches face many challenges, for example, peer-to-peer infrastructures and domain fast-flux or encrypt the command and control information, in order to prevent signature based detection. In the recent years an increasing number of approaches have focused on DNS based detection of bots. However, such approaches can be negatively influenced by the variance of linguistic characteristics in different networks or root zones of the domain name system. Therefore, we propose a novel approach based on Emergent Self-Organizing Maps and DNS request monitoring to find bots in real-live network environments. Our approach is language agnostic as it uses a high level of abstraction of the network traffic and DNS request in particular. Furthermore, it can semi-automatically adjust itself to changing behavior of bots. We validated our approach based on real network traffic.