Abstract
Domain Generation Algorithm (DGA) is a popular technique used by many malware developers in recent times. Nowadays, DGA is an evasive technique used by many of the Advanced Persistent Threat (APT) groups and Botnets to bypass host and network-level detection mechanisms. Legacy malware developers used to hard code the IP address of control and command server in malware payload. But, this led to identifying malicious IP address by reverse engineering the malware payload. Drawbacks in this hardcoding IP mechanism led to the idea of character-based Domain Generation Algorithms, where attackers generate a list of domain names using traditional cryptographic principles of pseudo-random number generators (PRNGs). Recent advances in malware research, machine learning address this problem to a large extent. Lately, malware developers came up with a new variant of DGA called word-list based DGA. In this approach, the malware uses a set of words from the dictionary to construct meaningful substrings that resembles real domain names. In this paper, we propose a new method for detecting Word-list based DGA domain names using ensemble approaches with 15 features (both lexical and network-level). Added to this, we generated syntactic data using CTGAN (GAN-based data synthesizer that can generate synthetic data) to measure the robustness of our model. In our experiment, C5.0 stands out as the best with prediction accuracy of 0.9503 and out of 30000 synthetically generated malicious domains names, 1351 classified as benign.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chen, X., et al.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN), pp. 177–186. IEEE (2008)
Sai Charan, P.V., Gireesh Kumar, T., Mohan Anand, P.: Advance persistent threat detection using long short term memory (LSTM) neural networks. In: Somani, A.K., Ramakrishna, S., Chaudhary, A., Choudhary, C., Agarwal, B. (eds.) ICETCE 2019. CCIS, vol. 985, pp. 45–54. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-8300-7_5
Sood, A.K., Zeadally, S.: A taxonomy of domain-generation algorithms. IEEE Secur. Privacy 14(4), 46–53 (2016)
Kumar, A., Gupta, M., Kumar, G., Handa, A., Kumar, N., Shukla, S.K.: A review: malware analysis work at IIT Kanpur. In: Shukla, S.K., Agrawal, M. (eds.) Cyber Security in India. ID, vol. 4, pp. 39–48. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-1675-7_5
Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 192–211. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_11
Royal, P.: Analysis of the kraken botnet. Damballa, 9 April 2008
Shin, S., Gu, G.: Conficker and beyond: a large-scale empirical study. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 151–160 (2010)
Mohaisen, A., Alrawi, O.: Unveiling zeus: automated classification of malware samples. In: Proceedings of the 22nd International Conference on World Wide Web, pp. 829–832 (2013)
Brahara, B., Syamsuar, D., Kunang, Y.N.: Analysis of malware DNS attack on the network using domain name system indicators. J. Inf. Syst. Inform. 2(1), 131–153 (2020)
Anand, P.M., Kumar, T.G., Charan, P.S.: An Ensemble approach for algorithmically generated domain name detection using statistical and lexical analysis. Procedia Comput. Sci. 171, 1129–1136 (2020)
Berman, D.S., et al.: DGA CapsNet: 1D application of capsule networks to DGA detection. Information 10(5), 157 (2019)
Matrosov, A., Rodionov, E.: Defeating x64: modern trends of kernel-mode rootkits (2011). https://www.eset.com/fileadmin/eset/US/resources/docs/white-papers/white-papers-defeating-x-64-modern-trends-of-kernel-mode-rootkits.pdf. Accessed 21 Oct 2011
Matsnu-DGA. https://www.securityweek.com/new-variant-matsnu-trojan-uses-configurable-dg. Accessed 15 June 2020
Fu, Y.: Using botnet technologies to counteract network traffic analysis (2017)
Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 48–61 (2010)
Da Luz, P.M.: Botnet detection using passive DNS. Radboud University, Nijmegen, The Netherlands (2014)
Selvi, J., RodrÃguez, R.J., Soria-Olivas, E.: Detection of algorithmically generated malicious domain names using masked N-grams. Expert Syst. Appl. 124, 156–163 (2019)
Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 263–278 (2016)
Curtin, R.R., Gardner, A.B., Grzonkowski, S., Kleymenov, A., Mosquera, A.: Detecting DGA domains with recurrent neural networks and side information. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10 (2019)
Yang, L., et al.: Detecting word-based algorithmically generated domains using semantic analysis. Symmetry 11(2), 176 (2019)
Woodbridge, J., Anderson, H.S., Ahuja, A., Grant, D.: Predicting domain generation algorithms with long short-term memory networks. arXiv preprint arXiv:1611.00791 (2016)
Choi, H., Lee, H., Kim, H.: BotGAD: detecting botnets by capturing group activities in network traffic. In: Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE, pp. 1–8 (2009)
Abbink, J., Doerr, C.: Popularity-based detection of domain generation algorithms. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, pp. 1–8 (2017)
Word Ninja. https://github.com/keredson/wordninja. Accessed 15 June 2020
whois 0.9.6. https://pypi.org/project/whois. Accessed 15 June 2020
Mixed Naive Bayes. https://pypi.org/project/mixed-naive-bayes. Accessed 15 June 2020
Wold, S., Esbensen, K., Geladi, P.: Principal component analysis. Chemometr. Intell. Lab. Syst. 2(1–3), 37–52 (1987)
De la Porte, J., Herbst, B.M., Hereman, W., Van Der Walt, S.J.: An introduction to diffusion maps. In: Proceedings of the 19th Symposium of the Pattern Recognition Association of South Africa (PRASA 2008), Cape Town, South Africa, pp. 15–25 (2008)
Zheng, T., Salganik, M.J., Gelman, A.: How many people do you know in prison? Using overdispersion in count data to estimate social structure in networks. J. Am. Stat. Assoc. 101(474), 409–423 (2006)
Yan, K., Zhang, D.: Feature selection and analysis on correlated gas sensor data with recursive feature elimination. Sens. Actuat. B: Chem. 212, 353–363 (2015)
Diffusion Map for Manifold Learning. https://www.kdnuggets.com/2020/03/diffusion-map-manifold-learning-theory-implementation.html. Accessed 15 June 2020
Xu, L., Skoularidou, M., Cuesta-Infante, A., Veeramachaneni, K.: Modeling tabular data using conditional gan. In: Advances in Neural Information Processing Systems, pp. 7335–7345 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Charan, P.V.S., Shukla, S.K., Anand, P.M. (2020). Detecting Word Based DGA Domains Using Ensemble Models. In: Krenn, S., Shulman, H., Vaudenay, S. (eds) Cryptology and Network Security. CANS 2020. Lecture Notes in Computer Science(), vol 12579. Springer, Cham. https://doi.org/10.1007/978-3-030-65411-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-65411-5_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65410-8
Online ISBN: 978-3-030-65411-5
eBook Packages: Computer ScienceComputer Science (R0)