Sistema autónomo de detección de botnets en la red de la Universidad de Cuenca basado en el comportamiento anómalo del tráfico DNS

In current cyber attacks, botnets are used as an advanced technique to generate sophisticated and coordinated attacks. Malicious code or vulnerabilities are used to infect terminals turning them into bots. Infected systems connect to a C&C server to receive commands and carry out attacks. Detecting an infected host helps to protect network resources and prevents them from being used to attack third-party networks. This experimental thesis work details the design, implementation and results of a bot infection detection system based on DNS traffic, for a university network. A bot-infected host detection feasibility analysis is performed based on fingerprint creation. The fingerprints are generated from a numerical analysis, by hours, of 15 DNS hosts attributes on the network. Anomalies are searched for fingerprints using Isolation Forest, in order to label a host as infected or not. Then Random Forest is used to generate a model that detects future infections to hosts by bot. The DNS event management and handling system integrates Suricata, the ELK stack and Python. This integration makes it easy to store events, generate fingerprints, and analyze the results of fingerprint classification. In addition, it checks the feasibility of the method of detecting hosts infected by bot using fingerprints, compared to other traditional methods, performing a behavior analysis over time of the infected hosts and looking for queries towards domains generated by DGA.