CharBot: A Simple and Effective Method for Evading DGA Classifiers

Peck, Jonathan; Nie, Claire; Sivaguru, Raaghavi; Grumer, Charles; Olumofin, Femi; Yu, Bin; Nascimento, Anderson C. A.; Cock, Martine De

doi:10.1109/access.2019.2927075

Cited by 50 publications

(33 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To the best of our knowledge, this is only work which can capture generated domain names with this level of fidelity, and as such, can be instrumental in tracking and detecting botnets via DNS traffic. Furthermore, we have found that Helix is robust to the camouflage evasion techniques [2,12,18] compared a state of the art DGA classifier. Lastly, Helix is practical because autoencoders are trained in an unsupervised manner, meaning that there is no need for manual labeling.…”

Section: Candcmentioning

confidence: 98%

See 1 more Smart Citation

Helix

Sidi

Mirsky

Nadler

et al. 2020

Proceedings of the 29th ACM International Conference on Information &Amp; Knowledge Management

View full text Add to dashboard Cite

Botnets have been using domain generation algorithms (DGA) for over a decade to covertly and robustly identify the domain name of their command and control servers (C&C). Recent advancements in DGA detection has motivated botnet owners to rapidly alter the C&C domain and use adversarial techniques to evade detection. As a result, it has become increasingly difficult to track botnets in DNS traffic. In this paper, we present Helix, a method for tracking and exploring botnets. Helix uses a spatio-temporal deep neural network autoencoder to convert domains into numerical vectors (embeddings) which capture the DGA and seed used to create the domain. This is made possible by leveraging both convolutional (spatial) and recurrent (temporal) layers, and by using techniques such as attention mechanisms and highways. Furthermore, by using an autoencoder architecture, the network can be trained in an unsupervised manner (no labeling of data) which makes the system practical for real world deployments. In our evaluation, we found that Helix can track botnet campaigns, distinguish between DGA families and seeds, and can identify domains generated using the latest adversarial machine learning techniques. Helix is currently being used to track botnets in one of the world's largest Internet Service Providers (ISP), and we include some of the ISP's analysis work using our method. CCS CONCEPTS • Security and privacy → Intrusion/anomaly detection and malware mitigation.

show abstract

Section: Candcmentioning

confidence: 98%

“…Hi master, what should I do now? Figure 1: An illustration of the process which an attacker performs in order to connect a botnet to a C&C. [16,19] [Helix ] generated ones [2,12,18]. Therefore, there is a need for a stronger representation of domain names, one which can capture both the underlying DGA and the presence of camouflage attacks.…”

Section: Candcmentioning

confidence: 99%

Helix

Sidi

Mirsky

Nadler

et al. 2020

Proceedings of the 29th ACM International Conference on Information &Amp; Knowledge Management

View full text Add to dashboard Cite

show abstract

“…This paper uses raw data collected from three sources: Alexa, Qname, and Bambenek. The data sets utilized are the same as those used in [8].…”

Section: Raw Datamentioning

confidence: 99%

“…Bambenek 2 offers a daily feed of domains generated by reverse engineering known families of malware. One million different DGA domains were collected over the course of three days to construct a malicious data set [8].…”

Section: Raw Datamentioning

confidence: 99%

See 1 more Smart Citation

Hardening DGA Classifiers Utilizing IVAP

Grumer

Peck

Olumofin³

et al. 2019

2019 IEEE International Conference on Big Data (Big Data)

Self Cite

View full text Add to dashboard Cite

Domain Generation Algorithms (DGAs) are used by malware to generate a deterministic set of domains, usually by utilizing a pseudo-random seed. A malicious botmaster can establish connections between their command-and-control center (C&C) and any malware-infected machines by registering domains that will be DGA-generated given a specific seed, rendering traditional domain blacklisting ineffective. Given the nature of this threat, the real-time detection of DGA domains based on incoming DNS traffic is highly important. The use of neural network machine learning (ML) models for this task has been well-studied, but there is still substantial room for improvement. In this paper, we propose to use Inductive Venn-Abers predictors (IVAPs) to calibrate the output of existing ML models for DGA classification. The IVAP is a computationally efficient procedure which consistently improves the predictive accuracy of classifiers at the expense of not offering predictions for a small subset of inputs and consuming an additional amount of training data.

show abstract

Permissionless proof‐of‐reputation‐X: A hybrid reputation‐based consensus algorithm for permissionless blockchains

Abdo

Sibai

Demerjian

2020

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Over the past years, blockchain technology has become more and more interesting since its ability to carry out transactions without any mediator. To ensure the transactions' reliability, consensus algorithms are adopted by blockchain technology. However, due to the failure of consensus algorithms in managing nodes' identities, blockchain technology is considered inappropriate for many applications. In this article, we propose the permissionless proof‐of‐reputation‐X (PL‐PoRX) that upgrades an existing consensus algorithm, the proof‐of‐reputation‐X (PoRX). PL‐PoRX replaces the trusted identity database in PoRX with a new admission process to make the algorithm suitable for permissionless blockchains, while maintaining PoRX's reputation mechanism. Several experiments are conducted to show the efficiency of our approach under different scenarios. We also debate the security model of the new protocol and study its time complexity. The results show that PL‐PoRX decreases the number of blocks issued by malicious miners, and help benign miners build reputation faster.

show abstract

CharBot: A Simple and Effective Method for Evading DGA Classifiers

Cited by 50 publications

References 32 publications

Helix

Helix

Hardening DGA Classifiers Utilizing IVAP

Permissionless proof‐of‐reputation‐X: A hybrid reputation‐based consensus algorithm for permissionless blockchains

Contact Info

Product

Resources

About