Using EBPF to identify ransomware that use DGA DNS queries

Authors

DOI:

https://doi.org/10.20535/2411-1031.2023.11.2.293760

Keywords:

eBPF, DGA, DNS, malware, IDS, monitoring, kernel, cybersecurity

Abstract

In today's world, where the Internet has become an integral part of the functioning of government and corporate institutions, the integrity and availability of information is becoming a key issue for many organizations and individual users. The issue of protection against crypto viruses and attacks, in particular, using DGA (Domain Generation Algorithms), a method used by attackers to automatically generate domain names for client-server (Command & Control) communication in the DNS-based virus ecosystem, is particularly relevant, making it difficult to detect and block them due to the way DNS is used in modern computer networks. Given the growing number of attacks that use DGA, there is a need to develop new methods that are faster and can analyze large traffic flows in real time and provide functionality for detecting and blocking them. eBPF (Extended Berkeley Packet Filter) is a modern tool that allows you to create small programs to monitor and analyze various aspects of the system in real time, including network traffic. These programs are executed directly in the operating system kernel and/or at the network card level. In this study, we consider the possibility of using eBPF to detect DGA activity in DNS traffic. The goal is to determine the effectiveness of real-time ransomware detection. We developed a ransomware analysis lab environment where we developed eBPF-based modules, tested them, and simulated an attack. In addition, a cloud-based data analysis environment based on Splunk was set up and rules for detecting a DGA attack were developed based on this analysis. This article presents the results of developing an eBPF-based program for analyzing DNS traffic, conducting DGA attacks, and methods for detecting them. These results can be an important contribution to the development of strategies to protect against malicious attacks in the network.

Author Biographies

Danyil Zhuravchak, Lviv Polytechnic National University, Lviv

postgraduate student, teaching assistant, department of information security

Eduard Kiiko, Lviv Polytechnic National University, Lviv

student

Valeriy Dudykevych, Lviv Polytechnic National University, Lviv

doctor of engineering, professor, head of the department of information security

References

A. Bozhko, and O. Baranovsky, “Methods of detecting DGA in DNS requests”, in Proc. XIX All-Ukr. scien. and pract. conf. stud., grad. stud. and jun. scient. Theoretical and applied problems of physics, mathematics and computer science, Kyiv, 2021, pp. 309-311. [Online]. Available: https://ela.kpi.ua/bitstream/123456789/52980/1/%28309-311%29_Bozhko.pdf. Accessed: Aug. 11, 2023.

A. Bozhko, “Detection of malware command centers using DNS traffic analysis”, bach. thesis, NTUU, Kyiv, 2021. [Online]. Available: https://ela.kpi.ua/bitstream/123456789/57102/1/Bozhko_Bakalavr.pdf. Accessed: Aug. 11, 2023.

K. Bobrovnikova, “Information technology for botnet detection in corporate networks based on DNS traffic analysis”, PhD. thesis, TNTU, Ternopil, 2017. [Online]. Available: https://elartu.tntu.edu.ua/bitstream/123456789/18599/5/Avtoreferat_Bobrovnikova_K_JU.pdf Accessed: Aug. 11, 2023.

N. Mischenko, “Information Technology for recognizing Domain Generation Algorithm traffic based on Deep Machine Learning”, M.S. thesis, SSU, Sumy, 2021. [Online]. Available: https://essuir.sumdu.edu.ua/bitstream-download/123456789/84128/1/Mishchenko_mag_rob.doc.pdf. Accessed: Aug. 15, 2023.

D. Zinkovsky, “Development of Software for traffic filtering and tracing using BPF technology in Linux”, bach. thesis, DNTU, Dnipro, 2021. Accessed: Aug. 14, 2023. [Online]. Available: https://ir.nmu.org.ua/handle/123456789/158957. Accessed: Aug. 14, 2023.

D. Boiko, and Y. Davydenko, “Tools for processing and analyzing network packets in Linux OS”, in Proc. XVII Intl. scient. conf. Olevs’kyi Forum – 2023: Strategies of Black Sea Region Countries in Geopolitical Space, Mykolaiv, 2023.

D. Boiko, “Traffic monitoring application and DDoS attack detection using eBPF”, bach. thesis, BSNU, Mykolaiv, 2023. [Online]. Available: https://krs.chmnu.edu.ua/jspui/handle/123456789/2893. Accessed: Aug. 16, 2023.

S. Tesliuk, “Monitoring network traffic and detecting attacks using eBPF”, bach. thesis, UCU, Lviv, 2021. [Online]. Available: http://www.er.ucu.edu.ua:8080/handle/1/2877. Accessed on: Sep. 16, 2023.

оghie/final_code_eBPF_dns.py. [Online]. Available: https://gist.github.com/oghie/b4e3accf1f87afcb939f884723e2b462. Accessed on: Sep. 19, 2023.

eduard-daily/eBPF-dns-monitor. [Online]. Available: https://github.com/eduard-daily/eBPF-dns-monitor. Accessed on: Sep. 28, 2023.

linux/net/ipv4/udp.c. [Online]. Available: https://github.com/torvalds/linux/blob/master/net/ipv4/udp.c#L1057. Accessed on: Sep. 28, 2023.

linux/net/ipv4/tсp.c. [Online]. Available: https://github.com/torvalds/linux/blob/master/net/ipv4/tcp.c#L1328. Accessed on: Sep. 28, 2023.

H. Nurkholish, “A Deep Dive into eBPF: Writing an Efficient DNS Monitoring”. [Online]. Available: https://medium.com/@nurkholish.halim/a-deep-dive-into-ebpf-writing-an-efficient-dns-monitoring-2c9dea92abdf. Accessed on: Sep. 12, 2023.

baderj/domain_generation_algorithms/bazarbackdoor/. Online]. Available: https://github.com/baderj/domain_generation_algorithms/tree/master/bazarbackdoor. Accessed on: Sep. 28, 2023.

Downloads

Published

2023-12-28

How to Cite

Zhuravchak, D., Kiiko, E., & Dudykevych, V. (2023). Using EBPF to identify ransomware that use DGA DNS queries. Collection "Information Technology and Security", 11(2), 166–174. https://doi.org/10.20535/2411-1031.2023.11.2.293760

Issue

Vol. 11 No. 2 (2023)

Section

NETWORK AND APPLICATION SECURITY

License

Copyright (c) 2023 Collection "Information Technology and Security"

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The authors that are published in this collection, agree to the following terms:

  1. The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
     
  2. The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
     
  3. Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).