Botnet detection is an important issue in cyber security and IT departments. These malicious entities affect a wide range of businesses including banks, healthcare, law enforcement, and many others.
Detecting these networks is difficult and expensive because it requires analyzing large amounts of data. There are several methods available for this task, ranging from passive network flow analysis to rule based detection.
There are also a number of graph-based methods, which are more efficient than flow-based techniques. These methods use a variety of graph features such as in degree, out degree, in degree weight, out degree weight, clustering coefficient, node betweenness and eigenvector centrality to determine the presence of botnets.
Detecting and Disrupting Botnets: The Essential Guide to Protecting Your Network
Bot computers often send DNS queries to command and control servers in order to resume their activities. Normally, the C&C server is a distributed system that uses dynamic DNS entries to hide its IP address from intrusion prevention systems.
DGA-Based Detection Methods
Domain Generation Algorithm (DGA) based detection methods are a common way to identify bot computers in a network. These algorithms detect and differentiate algorithmically generated domains from normal domains in a network by detecting anomalous DGA-querying patterns.
These algorithms can help determine the presence of a botnet and can even prevent it from getting online. However, these methods are not perfect and require a good understanding of malware and network infrastructures to successfully distinguish between legitimate and malicious traffic.
To help detect these attacks, ManageEngine has created a NetFlow Analyzer tool that allows users to monitor traffic and analyze patterns. The service also includes a customizable dashboard to help users identify suspicious activity and prioritize it.