A Novel Detection Method for Word-Based DGA

  • Luhui YangEmail author
  • Guangjie Liu
  • Jiangtao Zhai
  • Yuewei Dai
  • Zhaozhi Yan
  • Yuguang Zou
  • Wenchao Huang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11064)


As the existing DGA detection methods always don’t take into account the problem of word-based DGA method, this will make it invalid. In this paper, a detection method against the word-based DGA has been proposed. Firstly, the word-based DGA methods are analyzed and three type features that the word feature, part-of-speech feature and word correlation feature are analyzed. Then 16 features are concluded from the above analysis and two typical word-based DGA methods Matsnu and Suppobox are chosen as the test object. Finally, the random forest classifier is used in detection. The comparison experimental results show that the proposed method has better performance than the existing ones.


DGA detection Random forest Information security 



This work was supported by the National Natural Science Foundation of China (Grants nos. 61702235, 61602247, 61472188, and U1636117), Natural Science Foundation of Jiangsu Province (Grants no. BK20160840 and BK20150472), CCF-VENUSTECH Foundation (Grant no. 2016011), and Fundamental Research Funds for the Central Universities (30920140121006 and 30915012208).


  1. 1.
    Chanthakoummane, Y., Saiyod, S., Benjamas, N., Khamphakdee, N.: Improving intrusion detection on Snort rules for Botnets detection. In: Kim, K., Joukov, N. (eds.) Information Science and Applications (ICISA) 2016. LNCS, vol. 376, pp. 765–779. Springer, Singapore (2016). Scholar
  2. 2.
    Yadav, S., Reddy, A.K.K., Reddy, A.L., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement, pp. 48–61. ACM (2010)Google Scholar
  3. 3.
    Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE ACM Trans. Netw. 20, 1663–1677 (2012)CrossRefGoogle Scholar
  4. 4.
    Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16, 128 (2014)CrossRefGoogle Scholar
  5. 5.
    Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Tracking and characterizing Botnets using automatically generated domains. arXiv (2013)Google Scholar
  6. 6.
    Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 192–211. Springer, Cham (2014). Scholar
  7. 7.
    Mowbray, M., Hagen, J.: Finding domain-generation algorithms by looking at length distribution. In: IEEE International Symposium on Software Reliability Engineering Workshops, pp. 395–400. IEEE (2014)Google Scholar
  8. 8.
    Raghuram, J., Miller, D.J., Kesidis, G.: Unsupervised, low latency anomaly detection of algorithmically generated domain names by generative probabilistic modeling. J. Adv. Res. 5, 423–433 (2014)CrossRefGoogle Scholar
  9. 9.
    Grill, M., Nikolaev, I., Valeros, V., Rehak, M.: Detecting DGA malware using NetFlow. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 1304–1309. IEEE (2015)Google Scholar
  10. 10.
    Nguyen, T.D., Cao, T.D., Nguyen, L.G.: DGA botnet detection using collaborative filtering and density based clustering. In: Proceedings of the Sixth International Symposium on Information and Communication Technology, pp. 203–209. ACM (2015)Google Scholar
  11. 11.
    Wang, T., Hu, X., Jang, J., Ji, S., Stoecklin, M., Taylor, T.: BotMeter: charting DGA-botnet landscapes in large networks. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 334–343. IEEE (2016)Google Scholar
  12. 12.
    Woodbridge, J., Anderson, H.S., Ahuja, A., Grant, D.: Predicting domain generation algorithms with long short-term memory networks. arXiv (2016)Google Scholar
  13. 13.
    Anderson, H.S., Woodbridge, J., Filar, B.: DeepDGA: adversarially-tuned domain generation and detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, pp. 13–21. ACM (2016)Google Scholar
  14. 14.
    Yu, B., Gray, D.L., Pan, J., De Cock, M., Nascimento, A.C.: Inline DGA detection with deep networks. In: 2017 IEEE International Conference on Data Mining Workshops (ICDMW), pp. 683–692. IEEE (2017)Google Scholar
  15. 15.
    Bird, S., Loper, E.: NLTK: the natural language Toolkit. In: Proceedings of the ACL 2004 on Interactive Poster and Demonstration Sessions, p. 31. Association for Computational Linguistics (2004)Google Scholar
  16. 16.
    Google: word2vec. Accessed 12 May 2018

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Luhui Yang
    • 1
    Email author
  • Guangjie Liu
    • 1
  • Jiangtao Zhai
    • 2
  • Yuewei Dai
    • 2
  • Zhaozhi Yan
    • 3
  • Yuguang Zou
    • 3
  • Wenchao Huang
    • 3
  1. 1.Nanjing University of Science and TechnologyNanjingChina
  2. 2.Jiangsu University of Science and TechnologyZhenjiangChina
  3. 3.Nanjing Institute of Information TechnologyNanjingChina

Personalised recommendations