Detecting Broad Length Algorithmically Generated Domains

  • Aashna Ahluwalia
  • Issa TraoreEmail author
  • Karim Ganame
  • Nainesh Agarwal
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10618)


Domain generation algorithm (DGA) represents a safe haven for modern botnets, as it enables them to escape detection. Due to the fact that DGA domains are generated randomly, they tend to be unusually long, which can be leveraged toward detecting them. Shorter DGA domains, in contrast, are more difficult to detect, as most legitimate domains are relatively short. We introduce in this paper, a new detection model that uses information theoretic features, and leverage the notion of domain length threshold to detect dynamically and transparently DGA domains regardless of their lengths. Experimental evaluation of the approach using public datasets yields detection rate (DR) of 98.96% and false positive rate (FPR) of 2.1%, when using random forests classification technique.


HTTP botnet Botnet detection Machine learning Passive DNS DGA domains Malicious fast flux DNS Domain length 


  1. 1.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: 21st Usenix Security Symposium, 8–10 August 2012 (2012)Google Scholar
  2. 2.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Paris, France, 28 June–01 July 2009, pp. 1245–1254 (2009)Google Scholar
  3. 3.
    McGrath, D.K., Gupta, M.: Behind phishing: an examination of phisher modi operandi. In: Proceedings of 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, CA, USA, 15 April 2008 (2008)Google Scholar
  4. 4.
    Mowbray, M., Hagen, J.: Finding domain-generation algorithms by looking at length distributions. In: 2014 IEEE International Symposium Software Reliability Engineering Workshops (ISSREW), Naples, Italy, 3–6 November 2014 (2014)Google Scholar
  5. 5.
    Norvig, P.: Natural language corpus data. In: Beautiful Data, pp. 219–242, June 2009. Chapter 14Google Scholar
  6. 6.
    Sharifnya, R., Abadi, M.: A novel reputation system to detect DGA-based botnets. In: 2013 3rd International eConference on Computer and Knowledge Engineering (ICCKE), pp. 417–423 (2013)Google Scholar
  7. 7.
    Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 192–211. Springer, Cham (2014). doi: 10.1007/978-3-319-08509-8_11 Google Scholar
  8. 8.
    Yadav, S., Reddy, A.K.K., Reddy, A.L.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement (IMC 2010), pp. 48–61. ACM, New York (2010)Google Scholar
  9. 9.
    Wang, W., Shirley, K.: Breaking Bad: detecting malicious domains using word segmentation. In: Proceedings of the 9th Workshop on Web 2.0 Security and Privacy (W2SP) (2015)Google Scholar
  10. 10.
    Weymes, B.: DNS anomaly detection: defend against sophisticated malware, 28 May 2013. Web, 28 June 2017.
  11. 11.
    Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., Garant, D.: Botnet detection based on traffic behavior analysis and flow intervals. Elsevier J. Comput. Secur. 39, 2–16 (2013)CrossRefGoogle Scholar
  12. 12.
    Zhao, D., Traore, I.: P2P botnet detection through malicious fast flux network identification. In: 7th International Conference on P2P, Parallel, Grid, Cloud, and Internet Computing - 3PGCIC 2012, Victoria, BC, Canada, 12–14 November 2012 (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Aashna Ahluwalia
    • 1
  • Issa Traore
    • 1
    Email author
  • Karim Ganame
    • 2
  • Nainesh Agarwal
    • 3
  1. 1.ECE DepartmentUniversity of VictoriaVictoriaCanada
  2. 2.StreamScanMontrealCanada
  3. 3.BC Provincial GovernmentVictoriaCanada

Personalised recommendations