Botnet Detection


Hackers rarely launch attacks form their own IP addresses unless they want to be caught. Instead, they command an army of botnets to carryout various malicious activities including sending ransomware emails, launching DDoS attacks or scanning a victim’s network to uncover additional valuable assets. Command and Control is the primary communication vehicle hackers use to control their botnet.

Command and control networks once had static IP addresses. As security became more sophisticated and malicious IP addresses were blacklisted, hackers began avoiding detection of command and control by transforming Domain Generating Algorithms (DGA) into C&C servers. Each time a Botnet needs to reach a C&C server it sends out a dynamic domain name that is predefined by algorithm only known to the attackers. These DNS requests change quickly and are very difficult to detect using traditional firewall and threat intelligence.

*sourced from (March 2018)

Innovation Overview

Neural-X uses a set of advanced deep learning,visual calculation and flow analysis technologies to uncover botnets.

• Deep Learning:
Deep learning is a complex element of machine learning inspired by the function of interconnecting neurons in the human brain. It is part of Artificial Intelligence and can be considered as an evolution to Machine Learning. As the names goes, it can learn by itself by obersving and processing milllions of data so that it can make more accurate & faster predictions.

Sangfor uses Deep Learning to break down cryptic domain names into vectors that are understood by machine. Unlike other natural language processing techniques which primarily focus on either benign or malicious malware, Sangfor’s deep learning takes malware family into accounts in our models. Through a process of association of the vectors, we are able to detect domain names used by malware of similar families. In addition, our deep learning trains itself over time “learning” more each time it is executed. The net result is our ability to identify many more malicious domain names.ious domain names.

• Visual Calculation:
Families of malware still go back to its original families or relatives of domain names for C&C communications. By creating an association map of the domain names we are able to detect near domain names used by a family malware.

• Flow Analysis:
Malware would typically generate abnormal traffic data in order to reach its C&C servers. During malware analysis, Sangfor’s ZSand would observe and capture these activities. A controlled botnet that sends out phishing emails from a spoofed email address to many random targets would display very different behavior as compared to human email user. The evidence is then processed and the result of malicious behavior patterns are discovered by our flow analysis engine. Finally, confirmed evidence of IOC of IP, URL and DNS are shared in our Threat Intelligence for all customers to benefit.

Botnet Detection Results

By combining the techniques mentioned above, we are able to uncover significantly more malicious domain names compared to popular sources such as VirusTotal. Our Botnet detection tool uncovered several new malicious domain names as illustrated below in a comparison between the malicious domain names discovered by VirusTotal & Sangfor.

*Source: Sangfor Neural-X Research Team, March 17, 2018.

Our Advantages

Today, Neural-X has uncovered over a million malicious domain names using our own Botnet detection capability and this list is growing daily.

Our Social Networks

Global Service Center: